Skip to main content

This could be the most expensive data breach ever

Data Breach
(Image credit: Shutterstock)

An online retailer of precious metals has revealed that it has been the victim of a significant data breach.

 JM Bullion, which sells gold, silver, copper, platinum and palladium, became the victim of a cyberattack back in February that was not discovered until July. It remains unclear why the hack is only just being disclosed publicly.

This type of attack is known as MageCart and works by placing lines of malicious JavaScript code into a website. Then, when an individual enters payment information, the code diverts it to an external server operated by the hacker.

"On July 6, 2020, JM Bullion was alerted to suspicious activity on its website. JM Bullion immediately began an investigation, with the assistance of a third-party forensic specialist, to assess the nature and scope of the incident,” a notice sent to JM Bullion customers read. 

“Through an investigation, it was determined that malicious code was present on the website from February 18, 2020 to July 17, 2020, which had the ability to capture customer information entered into the website in limited scenarios while making a purchase.”

Five months

Potentially, this breach could have resulted in hugely sensitive information, including customer names, addresses and even payment information, falling into the wrong hands. The malicious code was only removed from JM Bullion website on July 17 – meaning that it was present for a staggering five months.

Law enforcement officials have been notified regarding the breach and anyone that purchased items from the JM Bullion website between February 18 and July 17 have been advised to monitor their bank statements to check for fraudulent activity.

Although there have been no reports of malicious activity stemming from the hack as of yet, JM Bullion did post sales in excess of $3 billion over the past eight years. If cyberattackers use ill-gotten credentials to conduct fraudulent activity, it could end up being a hugely costly data breach for the company and its customers.

Via Bleeping Computer