Payment Card Numbers And Other Customer Data May Have Been Compromised
In a notification letter filed with the Montana Department of Justice, precious metal trader JM Bullion has revealed that an unknown amount of customer information has been compromised in a data breach that appears to have occurred during a five-month period earlier this year.
The Dallas-headquartered online retailer says malicious skimmer code was found on its website and is capable of capturing customer payment card information during the purchasing process. The compromised data includes names, addresses account numbers, expiration dates and security codes.
The suspicious activity on JM Bullion’s website was first detected on July 6 and upon further investigation was found to be present from Feb. 18 to July 17, according to a notice sent by the company to its customers.
Only customers who made a purchase through the website when the skimming code was active were sent a notification letter.
“These scenarios represented a small portion of the transactions processed on JM Bullion’s website during the impacted time frame. Your payment card information could be at risk. The malicious code found was permanently removed from the website on July 17, 2020,” the company notes.
The company did not speculate in its data breach notification how the attacker gained entry, but one researcher believes it could be through a malicious plugin.
“Based on similar compromises, the attacker’s way in was likely through outdated or buggy WordPress plugins, Zach Varnell, senior applications security consultant at the security firm nVisium, tells Information Security Media Group. “This breach underscores the importance of basic patch maintenance, security hygiene and vulnerability management. Keep all software and libraries updated and current, prefer well-vetted plugins over bespoke hacks and have systems and plans in place to continuously detect threats and remediate new security issues effectively.”
At this time it is not known how many customers are affected, but JM Bullion notes on its site it ships more than 30,000 orders per month and has more than 500,000 customers. A company representative could not be immediately reached for comment.
Response Time Concerns
“The attack against JM Bullion is concerning for two main reasons. The first is the five-month dwell time the attackers had between initially compromising JM Bullion’s website and the eventual remediation. The second is the additional three months between their remediating the breach and notifying the users who may have been affected,” Saryu Nayyar, CEO of security firm Gurucul tells ISMG.
“Neither of those statistics inspires confidence, which is even more of an issue in the financial services and commodities sectors. Very few details are available, but it would appear there are some gaps in JM Bullion’s security stack. A complete stack, including behavioral analytics, should have been able to identify the breach quickly, preventing the potential damage to their customer base.” Nayyar notes.
Mohit Tiwari, co-founder and CEO at Symmetry Systems, says steps beyond simply hardening website applications need to be taken to protect customer payment card data.
“For most websites, an alternative pragmatic solution could be to offload payment processing to a specialized service hosted separately from the main web-application. These services can be hardened and rely on multi-factor authentication (etc…) and keep customers’ financial information away from the large (and by definition) vulnerable web-application,” Tiwari tells ISMG.