TechRadar reported reported that, as JM Bullion posted more than $3 billion in revenue across the past 8 years, the hack could potentially be “the most expensive data breach ever.”

According to a notice sent to customers, the Texas-based company’s website was hacked and infected with malicious code from February 18 to July 17, as Bleeping Computer reports. The code “had the ability to capture customer information entered into the website in limited scenarios while making a purchase,” reads the notice, which was posted to Reddit.

Hackers were able to access affected customers’ name, address and payment card information, including the account number, expiration date and security code, according to the notice. The company added that this information was exposed in only a “small portion” of transactions on the site, which sells gold, silver, copper, platinum and other similar products. JM Bullion’s website states that it ships more than 30,000 orders each month.

JM Bullion said in the notice that it became aware of the breach on July 6. The Reddit user said the letter to customers was emailed on October 31.

As ThreatPost reports, JM Bullion didn’t immediately respond to a request for comment, but a customer service person reached by phone said the email was sent only to affected customers.

While the identity of the hacker is unclear, ThreatPost notes that the situation here looks similar to a Magecart payment-skimming attack. Magecart is a name used for several different sets of cyber attackers who post card-skimming code on websites’ checkout pages.

Ameet Naik, security evangelist at PerimeterX, told ThreatPost that a five-month delay in detecting a Magecart attack is not uncommon. However, Ray Walsh, digital privacy expert at ProPrivacy, told ITPro that the length of time it took JM Bullion to uncover the attack was “extremely concerning.” Walsh added, “There is a serious risk that this data may have been sold on the dark web, which means that the investors involved could be facing an ever-growing risk of fraud.”