Canadian marketing company hit by data breach, says Ontario liquor board

A Canadian marketing company that counts some of the country’s biggest corporations as its customers has been hit by a data breach.

One of them is the Liquor Control Board of Ontario (LCBO), a Crown corporation that sells spirits and wine in stores across the province. In an email sent to customers today, the board said it was told on Aug. 9 by Toronto-based Conversion Digital that it was recently hit by a data breach, with data of LCBO customers it holds accessed by a hacker.

The LCBO uses Conversion Digital to send promotional emails and newsletters to subscribers. The data copied consisted primarily of first name and email address of certain email subscribers, the LCBO said in its notification. But if the subscriber chose to enter other information into an email registration form, the stolen data could also have included date of birth, postal code and their Aeroplan number.

No customer password or financial information was involved, the LCBO said, nor were its IT systems compromised.

Asked for comment, the LCBO said an official wasn’t available for an interview. The spokesperson didn’t say how many subscribers were affected.

A request for comment was left with Conversion Digital. IT World Canada had received no reply by publication time.

Among the clients listed on Conversion Digital’s web page are one of Canada’s biggest banks, a professional sports team conglomerate, and an e-commerce provider.

The company doesn’t only email corporate messages. According to the Conversion Digital  website, for the LCBO it had created myLCBO, a personalized recommendation and recipe pairing email program. It segments customers by their loyalty card (originally Air Miles, now Aeroplan) purchases and is deployed biweekly, with personalized recommendations, recipe pairings, additional video and informational content. For this project, Conversion Digital also does the data analytics, designs and deploys emails, and provides biweekly reporting to the LCBO.

The LCBO said in its message to subscribers that it has temporarily suspended promotional emails until the investigation of the breach is complete.

Marketing and media companies are prime targets for hackers because they hold large databases of email addresses. In January, Mailchimp said a hacker accessed the accounts of 133 of its business customers after an employee or contractor fell for a social engineering attack. Each of those customers would have had an email contact or subscriber list that Mailchimp would use for sending email messages.

TechCrunch reported that, as a result of that breach, e-commerce plugin WooCommerce notified customers that their names, email addresses and store web addresses were stolen.

The January theft followed two 2022 data breaches at Intuit-owned Mailchimp.

Founded in 2010, Conversion Digital says on its website that it runs 750 email campaigns a year involving more than 1 billion messages.