Cyber Incident Victim: BevMo
Date:
Aug 2018
Location:
United States of America
Summary
A data breach at BevMo compromised payment and personal information for approximately 15,000 e-commerce customers after malicious code was injected into the retailer's checkout page by an unauthorized actor. The third-party-managed website vulnerability allowed theft of names, payment card details, security codes, addresses, and phone numbers during online transactions over a multi-month period before detection. NCR Corporation, responsible for site operations, removed the malicious script and engaged forensic investigators, while the company notified law enforcement and financial institutions; the affected website remained flagged as insecure without displaying breach notifications to visitors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In December 2018, alcohol retailer BevMo disclosed a data breach impacting approximately 15,000 customers who used its e-commerce platform. The breach occurred when an unauthorized individual gained access to the company's website checkout page and inserted malicious code designed to capture payment information. BevMo's website was managed by NCR Corporation, which discovered the compromise during its investigation. The malicious code operated between August 2 and September 26, 2018, harvesting customers' names, credit or debit card numbers, expiration dates, CVV2 security codes, billing addresses, shipping addresses, and phone numbers. BevMo operates physical stores across California, Arizona, and Washington but confirmed the breach exclusively affected online shoppers. The company formally reported the incident to the California Attorney General's office in compliance with state breach notification laws.
NCR Corporation removed the malicious code from BevMo's checkout page upon discovery, terminating the data exfiltration. BevMo engaged an unnamed third-party forensics firm to assist with investigating the breach's scope and origin. The retailer coordinated with law enforcement agencies and notified major credit card companies about the compromised payment details. Despite these actions, BevMo's website remained labeled as "insecure" following the breach disclosure, with no visible warnings to visitors about potential data compromise risks. The company did not publicly disclose whether affected customers received direct notifications beyond regulatory filings. The breach exposed highly sensitive financial and personal information capable of facilitating identity theft and fraudulent transactions, though specific details about misuse of stolen data were not provided in regulatory submissions.