BevMo, a California-based alcohol retail chain, disclosed in late 2018 that its e-commerce website had been compromised by a payment card skimming attack affecting 14,579 customers. The breach window ran from August 2 to September 26, 2018 — a period of nearly two months during which malicious JavaScript code silently harvested payment data from customers completing online purchases.

BevMo’s website was managed and operated by NCR Corp., a major point-of-sale and e-commerce technology provider. NCR discovered the malicious code embedded in the checkout page and removed it. A third-party forensics firm was subsequently retained to assist with the investigation. The attack is consistent with the Magecart threat group’s techniques, though BevMo did not formally attribute the attack to any specific actor.

The skimmer was injected into the checkout page’s JavaScript, activating when customers entered payment details at the point of purchase. The data harvested included customers’ full names, credit and debit card numbers, card expiration dates, CVV2 security codes, billing addresses, shipping addresses, and phone numbers. The inclusion of CVV2 codes made the stolen data particularly dangerous, as it enabled card-not-present fraud without requiring additional data.

BevMo notified the California Attorney General’s office and alerted affected customers, law enforcement, and payment card companies. The company advised affected customers to monitor their accounts and offered guidance on disputing fraudulent charges.

This incident fit a broader pattern of Magecart-affiliated attacks against e-commerce platforms in 2018, including high-profile compromises of British Airways and Ticketmaster in the same year. In these attacks, threat actors target third-party website management and e-commerce platform vendors rather than the retailer directly — giving attackers access to many merchants through a single point of compromise at the platform provider. NCR Corp. serves thousands of retailers, making any compromise of its managed website infrastructure potentially far-reaching.