The company released a statement saying the breach allegedly began on October 31, 2012 and continued until last week. A representative said signs the computer system had been compromised began to surface early last year, but until this week federal investigators had asked Spec not to release details.

“This was a very sophisticated attack by one or more hackers who went to great lengths to cover their tracks,” spokeswoman Jenifer Sarver said. “It took a considerable amount of time for professional forensic investigators to find and understand the problem and then make recommendations to Spec’s to resolve and resolve them completely. “

Rick Dardenne, a Spec customer who lives in Fort Worth, said he learned his information had been compromised, possibly when he shopped at a Spec’s in Kingwood, after being given a new Amegy card Bank by mail. He said he called Amegy about two weeks ago and asked if the change was due to his shopping at Target. The customer service representative told him that there had also been a breach at Spec’s.

“I don’t like being kept in the dark,” Dardenne said. “Target at least communicated with customers earlier.”

“Exceptionally long”

Tim Erlin, director of IT risk strategy at data security firm Tripwire, agreed the breach “was exceptionally long.” He also said the security measures in place “were clearly ineffective or inadequate”.

Sarver said that after receiving alerts from a major lending institution and the company that processes many of his card payments, Spec called in private investigators and turned over evidence to the U.S. Secret Service. The violation may have lasted until March 20.

“I’m surprised the investigation went on for so long without them finding the root of the problem,” Erlin said, adding that Spec’s did the right thing by hiring a private investigator after discovering that some kind of fraud used to take place.

Neiman Marcus also learned from an outside source that there had been fraud, he said, but it took about two months to determine that 1.1 million customer cards had been breached. And the Target breach, which affected more than 100 million customers, only lasted a few weeks.

It is possible that the scope of the Spec violation will expand, Erlin said.

The warehouse-sized hypermarket on Smith near downtown was not affected in this instance. In addition to several small Spec’s stores, some of the affected retailers operate such as Copperfield Liquors, JJ’s Liquors, Cowtown Discount Liquors, Restaurant & Bar Supply, Warehouse Liquors, The Beverage Shoppe and Richard’s Fine Wines & Spirits. The list mainly included stores in the Houston area, but also from Bryan, College Station, Corpus Christi and El Paso.

The display may include customer bank routing numbers, card security codes, and other payment card and check information.

Malware removed

Sarver said the compromise affected “approximately less than 550,000” Spec’s customers and employees. The company said the breach affected less than 5% of Spec’s total customer transactions during that time.

“The problem has been resolved and the data is no longer being obtained,” Sarver said. She said the company replaced cash registers and “disabled and removed malware illegally placed on computer systems.”

“It’s still an ongoing investigation and we’re working on it,” said Cynthia Marble, special agent in charge of the local Houston Secret Service office. She had no further comment.

Sarver said that as the hunt for the hacker continues, Spec’s “has not taken any personal action, and based on what we know of the Secret Service, we see no reason to do so. “.

Dardenne said that while his was “disappointed” he planned to continue shopping at Spec’s.

“It’s unsettling”

Outside of Richard’s Spirits & Fine Wines on Kirby, the other patrons didn’t seem too upset.

“I’m not outraged, but it’s disturbing,” said Greg Frisco of Houston. “Dealing with all the consequences is frustrating. “

Laura Snowden said hackers have stolen her identity in the past and that she is still trying to use cash.

“Everyone should be concerned, especially with the growing use of credit cards,” she said. “Every department store that sells in bulk has to be a target.” It’s happened to Target, Neiman Marcus, and now liquor stores. I’m surprised this hasn’t happened to Toys R Us yet. “

Data theft has been in the news a lot lately, but it’s not necessarily more common today, Erlin said.

“As an industry, we are improving ourselves to detect it,” he said. “The worrying question is: How many more cases like Spec’s where data is stolen and we don’t know?”