Last Updated on 08/11/2020 by Tuhin
JM Bullion is the leading online bullion dealer in the United States. The online retailer has disclosed that they have been victim to a data breach, which compromised and leaked the PII and credit card details of its customers.
JM Bullion and its subsidiary, Provident Metals, both sent a ‘Notice of Data Security Incident” to all the customers who were affected due to the data breach. The notice stated that though the attack began on February 18, 2020, it was not discovered until July 2020.
Suspicions were raised among the IT officials of the company on July 6, 2020, when they observed malicious activity on their website.
The Notice sent out to customers further stated, “JM Bullion immediately began an investigation, with the assistance of a third-party forensic specialist, to assess the nature and scope of the incident. Through an investigation, it was determined that malicious code was present on the website from February 18, 2020, to July 17, 2020, which had the ability to capture customer information entered into the website in limited scenarios while making a purchase.”
This attack has all the pointers, which scream out loud that it is a classic Magecart attack. The threat actors planted a malicious JavaScript code on the website, which stole information while customers made a purchase.
Only customers who made transactions between February 18 and July 17 are at risk. The attackers were able to exfiltrate the personal data and credit card details of JM Bullion’s customers used during the checkout process. The information stolen includes customers’ names, addresses, and payment information including their account numbers, expiration date, and security codes.
JM Bullion has notified the necessary law enforcement authorities and reviewed their security measures. They have amped up their vigilance and taken steps to prevent similar incidents from occurring in the future. Additionally, they have also suggested the following steps to their customers to take protective measures against identity theft and fraud:
- Watchfully review your account statements and monitor your credit reports for suspicious activity.
- Place a “security freeze” on credit reports which prevents potential creditors from accessing your credit file.
- As an alternative to a security freeze, place an initial or extended “fraud alert” on your file at no cost.
- Contact the consumer reporting agencies, the Federal Trade Commission, or your state Attorney General for your protection.