A website belonging to the Liquor Control Board of Ontario (LCBO), the largest beverage alcohol retailer in Canada, has been found to be infected with a credit card stealing script that steals customers’ private data.

“LCBO has experienced a cybersecurity incident, affecting online sales through LCBO.com,” the retailer wrote in a statement. “At this time, we can confirm that an unauthorized party embedded malicious code into our website that was designed to obtain customer information during the checkout process.”

Customers who used the payment page on the company website between January 5, 2023, and January 10, 2023, may have been affected in the attack. Exposed data may have included names, email and mailing addresses, Aeroplan numbers, LCBO.com account passwords, and credit card information.

The incident did not impact orders placed via the company’s mobile app. The investigation into the incident is still ongoing.