Magecart is behind a breach of Sotheby’s Home in which an unauthorized third party skimmed customer data from the website.

“We believe that the so-called ‘Magecart’ threat group, which has targeted a large number of e-commerce sites, and which is known to have previously targeted other companies whose websites use the same software Sotheby’s Home was using at the time, was responsible for the incident,” the company said in a statement sent to the Register.

Sotheby’s Home, previously Viyet, discovered the insertion of malicious code on October 10, telling customers, according to a report in the Register, “depending on the security settings of your computer, may have transmitted personal information you entered into the website’s checkout form to this third party.” The site serves a U.S. audience.

The data nicked could include names, email addresses, payment card numbers, CVV codes, expiration dates and addresses.

The auction house purchased the site in March, which Carter said “shows that due diligence during acquisition did not catch the malicious code, nor was it caught anytime between the acquisition and launch in October.”

“The Sotheby’s breach is another in the long list of businesses falling victim to Magecart and web vulnerabilities that turn e-commerce sites into delivery mechanisms for data stealing JavaScript,” said Rusty Carter, vice president of product management at Arxan Technologies. “Interestingly, Sotheby’s indicated it noticed malicious activity on the same day as the site was re-launched as Sotheby’s Home.”

He said detection of the vulnerability may have “been the result of what has been reported as sabotage between factions of Magecart.”

Because the malware was detected on October 10, but could have been in the system since March 2017, “it is possible that the new breach initiated a careful audit that discovered the resident malware that was stealing data since early 2017,” Carter said.

“The long-lasting effects of theft against consumers are met with minimal corrections from many businesses and a lack of accountability,” he said, noting that “with GDPR and other privacy and data protection regulations coming into effect, it is disappointing to see breach after breach affecting consumers and their private information, but it shows that the traditional security approaches are insufficient to properly protect consumers and their data.”

He called for organizations “to protect the applications that customers interact with, where they are most vulnerable (in the user’s machine/browser) and not just in the data center.”