BevMo, a California-based retailer of alcoholic beverages, is notifying some customers that a data breach affected the online store exposed credit card information used between August 2 and Sept. 26.
In a notice submitted to the California attorney general’s office, BevMo says that hackers were able to install malicious code onto the company’s checkout page, skimming customer information including names, payment card numbers, expiration dates and security codes, addresses, as well as phone numbers.
BevMo says the malicious code has been removed by NCR Corporation, which operates BevMo’s website. NCR, which sells point-of-sale systems and provides IT services, notified BevMo of the breach and sponsored a third-party investigation into it, according to BevMo’s notice. NCR did not respond to a request for comment.
A local NBC station in the San Francisco Bay Area reported that the breach impacted 14,579 customers. BevMo has stores in California, Arizona and Washington, but ships online orders to eight other states and Washington, D.C., according to its website.
Yes, the data was stolen via Magecart script
http://netmg-cdn[.]com/activityi/src_4064601/type_unive909/cat_newbe0/reserv.js – you can view an archived scan of their site when it was still compromised here: https://t.co/i6Bc8d1Qy6 pic.twitter.com/txhPUIidDs
— Bad Packets Report (@bad_packets) December 27, 2018
— Kevin Beaumont (@GossiTheDog) December 27, 2018
BevMo says it is conducting its own independent investigation, and that it has contacted law enforcement and the payment card companies. It’s also urging customers to keep an eye on their credit reports and payment card accounts.
“BevMo takes the privacy of our customers’ personal information seriously and we deeply regret that this incident occurred,” the company said in its notice. “To help prevent something like this from happening again in the future, the service provider [NCR] is continuing to review and enhance security controls and continuing to monitor its systems to further detect and prevent unauthorized access.”