Cyber Incident Victim: Liquor Control Board of Ontario

On or around August 10, 2023, the Liquor Control Board of Ontario (LCBO) was the target of a cybersecurity incident, marking the second time the provincial corporation had been attacked within the same year. The LCBO was informed by its business partner, Conversion Digital, a company it contracts to send promotional emails, that an unauthorized party had gained access to the personal information of some subscribers on the LCBO's email list. This incident was distinct from a previous cyberattack that had affected the organization's online sales operations in January, and it was confirmed that the two events were not related. The unauthorized access was not to the LCBO's own internal systems but was instead confined to the data managed by its third-party service provider for marketing communications.

The nature of the data breach involved the personal information of individuals who had subscribed to receive promotional emails from the LCBO. The compromised data included fundamental personal details such as individuals' first names and their email addresses. However, the LCBO warned its subscribers that other types of information provided during the subscription process for these promotional communications could also have been accessed by the unauthorized party. This additional information was noted to potentially include more sensitive personal data points such as an individual's date of birth, their postal code, and in some cases, their Aeroplan number, which is a loyalty program identifier.

Following the discovery of this incident, the LCBO undertook the necessary steps to address the breach and fulfill its regulatory obligations. The organization formally reported the attack to the Office of the Information and Privacy Commissioner of Ontario (IPC) on August 10, 2023. In its communication, the IPC emphasized that cyberattacks have become an increasingly significant threat to the security of personal information. The IPC further stated that organizations subject to privacy laws, such as the LCBO, have a responsibility to ensure that the information in their possession is kept secure, highlighting the important duty of care that entities must maintain over personal data, even when it is handled by third-party vendors.

A spokesperson for the LCBO provided a statement regarding the incident, clarifying that the attack impacting the email subscribers did not have any impact on the LCBO's own internal systems. This distinction was crucial as it indicated that the core operational technology and point-of-sale systems responsible for liquor sales and distribution across Ontario remained unaffected and secure. The breach was contained within the scope of the external email marketing service. The spokesperson also expressed the organization's values, stating, "We value and respect the trust of our customers and regret the concerns this incident may cause," acknowledging the potential unease and worry such an event could generate among its client base.

This event underscores a recurring challenge faced by the LCBO, as it represented the second cybersecurity incident the organization had experienced in a relatively short timeframe. The earlier incident, which occurred in January of the same year, was a separate attack that had directly impacted the LCBO's online sales platform. That previous attack involved unauthorized access to customer credit card information, which is typically considered among the most sensitive types of financial data. The fact that two different types of attacks occurred within months of each other, albeit through different vectors and targeting different systems, points to the persistent targeting of large, public-facing organizations by malicious actors.

The specific method of attack used in the August incident was not detailed in the provided information, leaving the technical execution of the breach undefined. Similarly, the motives behind the attack, whether for financial gain, espionage, or simply to cause disruption, were not explicitly stated. The article did not report on the number of individuals potentially affected by this breach, so the full scope of its impact in terms of the volume of compromised customer records remains unknown. Furthermore, there was no information provided regarding any immediate actions taken by the LCBO or Conversion Digital to mitigate the breach upon its discovery, such as containing the access or securing the affected systems.

The incident highlights the complex nature of modern cybersecurity, where an organization's attack surface extends beyond its own digital perimeter to include all its third-party partners and service providers. The reliance on external vendors for critical business functions, such as customer communication and marketing, introduces additional risk vectors that must be managed. In this case, the compromise occurred at the level of the service provider, Conversion Digital, indicating that the security postures of all partners in a supply chain are integral to the overall protection of customer data. This breach serves as an example of how a vulnerability in a third-party system can directly lead to a data incident for the primary organization, even if its own defenses remain uncompromised.

The regulatory response involved the mandatory reporting to the provincial privacy commissioner, which is a standard procedure under privacy laws following a breach that involves personal information. This step is designed to ensure transparency and allows the oversight body to be aware of the incident and to provide guidance or investigation if necessary. The IPC's commentary on the event framed it within the larger context of a growing threat landscape, where cyberattacks are increasingly common and pose a substantial risk to the privacy and security of individuals' data. The statement from the IPC served as a reminder of the legal obligations that organizations have to protect the information they collect and hold, regardless of whether it is stored on their own systems or with a contracted agent.

In the aftermath of the incident, the primary concern was for the subscribers whose personal information was exposed. While the data breached did not include highly sensitive financial information like credit card numbers, as was the case in the January attack, the combination of an email address, first name, date of birth, and postal code can still be valuable information for malicious purposes such as targeted phishing campaigns, identity theft, or social engineering attacks. The inclusion of Aeroplan numbers for some individuals added another layer of potential risk, as loyalty program accounts can sometimes be exploited for fraud or linked with other data sets to build comprehensive profiles of individuals. The LCBO's public notification to its subscribers was an important step in informing them of the potential risk so they could remain vigilant.