Texas-based precious metals distributor JM Bullion has told certain clients that cybercriminals might have compromised their payment card numbers, but the announcement comes months after the hack was found.
Established in 2011, JM Bullion offers gold , silver, platinum and other precious metals and makes crypto-currency payments to consumers. In March 2018 , the company crossed 500,000 customers, according to its website, and it claims to ship over 30,000 orders every month.
The firm says on its website that consumer information is kept protected by “256-bit SSL encryption” and that, since it is processed by a third party, it does not have access to payment card information.
Over the weekend, however, one JM Bullion client announced on Reddit that they had received a letter from the company warning them of a data protection incident. The company said it was alerted to unusual activities on its website on July 6, when, with the assistance of third-party forensics experts, it opened an investigation.
The inquiry discovered that between February 18 and July 17, 2020, someone broke into JM Bullion ‘s website and planted malicious code that was present on the site. Apparently, the malicious code was meant to extract consumer data entered on the website, known as a skimming or Magecart attack.
JM Bullion reports that when clients were making a transaction, the malicious code only gathered information in “tiny scenarios.” Names , addresses and payment card numbers, including card number, expiration date and security code, were included in the information stolen as part of this attack.
JM Bullion is really serious about the confidentiality of personal details under his possession. JM Bullion has contacted law enforcement, our card processor, and the credit card brands in relation to this incident and continues to cooperate with them when required. In order to secure consumer knowledge in our hands, we have checked our internal processes and introduced new protections on our website, ” Michael Wittmeyer, CEO of JM Bullion, told clients.
Any clients who addressed the Reddit event seem disappointed that it took five months for the company to find the breach and another three months to warn people affected. Others shared fear that physical address disclosure is extreme as someone may use the details to threaten the residences of persons who have purchased precious metals.