BevMo payment breach affects thousands, with researchers pointing to Magecart

The company says hackers ran malicious script on its website that was able to skim payment information for nearly two months.

BevMo, a California-based retailer of alcoholic beverages, is notifying some customers that a data breach affected the online store exposed credit card information used between Aug. 2 and Sept. 26.

In a notice submitted to the California attorney general’s office, BevMo says that hackers were able to install malicious code onto the company’s checkout page, skimming customer information including names, payment card numbers, expiration dates and security codes, addresses, as well as phone numbers.

BevMo says the malicious code has been removed by NCR Corporation, which operates BevMo’s website. NCR, which sells point-of-sale systems and provides IT services, notified BevMo of the breach and sponsored a third-party investigation into it, according to BevMo’s notice. NCR did not respond to a request for comment.

A local NBC  station in the San Francisco Bay Area reported that the breach affected 14,579 customers. BevMo has stores in California, Arizona and Washington, but ships online orders to eight other states and Washington, D.C., according to its website.


BevMo did not identify the hackers who compromised its website, but security researchers suggested the breach it bears the hallmarks of Magecart, a loosely associated set of hackers known for targeting payment information used online. Magecart is linked to breaches on British Airways, Ticketmaster UK, Newegg and others. The hackers often operate by finding a way to run their own malicious JavaScript code on a victims’ website.

BevMo says it is conducting its own independent investigation, and that it has contacted law enforcement and the payment card companies. It’s also urging customers to keep an eye on their credit reports and payment card accounts.

“BevMo takes the privacy of our customers’ personal information seriously and we deeply regret that this incident occurred,” the company said in its notice. “To help prevent something like this from happening again in the future, the service provider [NCR] is continuing to review and enhance security controls and continuing to monitor its systems to further detect and prevent unauthorized access.”

Latest Podcasts