A leading online gold retailer has revealed to customers that its website was hit by a Magecart-style data breach several months ago.

Dallas-headquartered JM Bullion describes itself as one of the largest sellers of precious metals in the world, with sales exceeding $3bn over the past eight years.

However, according to a breach notification letter sent to customers who were posted to Reddit, the card details used to make some of those sales may have been skimmed by attackers earlier this year.

“On July 6, 2020, JM Bullion was alerted to suspicious activity on its website. JM Bullion immediately began an investigation, with the assistance of a third-party forensic specialist, to assess the nature and scope of the incident,” the notice read.

“Through an investigation, it was determined that malicious code was present on the website from February 18, 2020, to July 17, 2020, which had the ability to capture customer information entered into the website in limited scenarios while making a purchase.”

JM Bullion confirmed that the unspecified malicious code was removed from its website on July 17, but question marks will remain over why it took the firm five months to discover the presence of malware on its systems and then several more months to notify customers.

Although it claimed that only “a small portion of the transactions processed on JM Bullion’s website during the impacted time frame” was taken, the stolen details included names, addresses, account numbers, expiry dates, and security codes.

That’s enough to carry out e-commerce fraud which would be difficult for many merchants’ filters to spot.

There appears to have been a surge in digital skimming attacks in 2020 as global COVID-19 lockdowns forced more consumers online. In September the largest ever Magecart campaign was spotted after 2000 e-commerce stores running Magento software were attacked in a single weekend.

There appears to be no confirmation of the incident on the JM Bullion site.