A warning has been issued by the Concord, California-based alcoholic beverages retailer BevMo informing its customers about a data breach that its online store experienced between 2 August and 26 September. During the attack, credit card data of its customers was exposed.
“BevMo takes the privacy of our customers’ personal information seriously and we deeply regret that this incident occurred,” stated BevMo in its warning to customers.
Reportedly, BevMo’s online store experienced a data breach in which the attacker managed to steal credit and debit card numbers, phone numbers, home addresses, and security codes of over 14,000 BevMo customers who have used the website during the abovementioned time period.
The company revealed that the attacker planted malicious code on the online store’s checkout page. This code was written specifically to obtain information that the customers enter while placing an order. Hence, the order information placed between 2 Aug and 26 Sept was exposed to the hacker(s).
BevMo claims that the malicious code has now been removed with the help of NCR Corporation, which is responsible for running the website, and an investigation is already launched to probe the attack.
“To help prevent something like this from happening again in the future, the service provider is continuing to review and enhance security controls and continuing to monitor its systems to further detect and prevent unauthorized access,” BevMo explained in its warning notice.
The hackers haven’t yet been identified by BevMo but it is speculated that Magecart is involved as the breach has the group’s hallmarks. Magecart is a group of hackers that has previously been involved in attacking payment information systems online and has pulled off data breaches targeting VisionDirect, Sotheby’s, British Airways, Newegg, and Ticketmaster UK, etc. Usually, Magecart tries to identify a loophole in the system to install and run their customized malicious JavaScript code on the targeted website. The same is evident in the case of BevMo.
BevMo has contacted law enforcement agencies as well as payment card firms and requesting users to remain alert and keep checking their payment card accounts and credit reports. The California attorney general’s office has also been informed about the data breach.