Sensitive Customer Information Exposed in JM Bullion Data Breach

NOTICE: If you made an online purchase from JM Bullion or its subsidiary Provident Metals between January 1, 2020 and July 17, 2020 and have received a NOTICE OF DATA BREACH, contact the Arnold Law Firm at (916) 777-7777.
jm bullion data breachOn July 6, 2020, JM Bullion was alerted to suspicious activity on its main website. The online gold retailer discovered malicious code that reportedly captured the personal data and credit card details of its customers during the checkout process. 


The unauthorized code was inserted on the www.jmbullion.com website on February 18, 2020 and remained active for five months until it was removed on July 17, 2020. JM Bullion also discovered malicious code on its subsidiary website www.providentmetals.com that compromised customer data from January 1, 2020 through July 17, 2020.

Sensitive personal information compromised in the JM Bullion data breach includes:

  • Names
  • Addresses
  • Financial account numbers
  • Credit and debit card numbers
  • Security codes
  • Expiration dates

The data breach appears to be a Magecart attack, a term that encompasses several threat groups who use the same type of cyberattack. They target websites that use the Magento e-commerce platform and inject malicious, card-skimming JavaScript in the checkout and/or payment page. The code is designed to steal credit card details and send them to a remote server under their control.

JM Bullion reported the incident to law enforcement, but waited to notify customers until October 28, 2020, without explanation for the three-month delay between remediating the breach and notifying affected individuals. They also failed to explain the 11-day span during which the skimmer remained active after the company became aware of suspicious activity on the website.

JM Bullion claims that 28,234 customers were affected. However, the retailer has an estimated 500,000 customers and ships more than 30,000 orders per month. The company declined to offer identify theft protection services for affected customers.

JM Bullion was founded in 2011 and is headquartered in Dallas, Texas. The online precious-metal retailer deals exclusively in physical bullion, including gold, platinum, silver, copper and palladium. The company acquired Provident Metals in August 2019. Estimated annual revenues are $780 million.

The data breach lawyers at the Arnold Law Firm will continue to monitor the incident and provide updated information as our investigation continues.

If you made an online purchase from JM Bullion or its subsidiary Provident Metals between January 1, 2020 and July 17, 2020 and have received a NOTICE OF DATA BREACH, contact the Arnold Law Firm at (916) 777-7777 for a free case evaluation.