Spec’s, a liquor store chain based in Houston, Texas, has suffered a data breach. Cybercriminals had access to the computer systems of 34 stores for a total of 17 months, during which they might have stolen the details of as many as 550,000 customers and employees.
In a statement published on its website last week, Spec’s revealed that the attack started on October 31, 2012. The attackers had access to the company’s systems until March 20, 2014.
The attackers had access to payment card and check information. The payment card data includes names, credit and debit card numbers, expiration dates and security codes. The check information includes bank account numbers, bank routing numbers, dates of birth and, in some cases, driver’s license numbers.
The 34 affected stores (Spec’s has a total of 165 stores) are said to be small neighborhood stores in College Station, Corpus Christi, El Paso, and the Greater Houston area. The list of impacted establishments includes Copperfield Liquors, JJ’s Liquors, Cowtown Discount Liquors, Restaurant & Bar Supply, Warehouse Liquors (in Corpus Christi), The Beverage Shoppe, Richard’s Fine Wines & Spirits.
The company says that Rio Grande Valley stores, the Houston superstore and shops in North and Central Texas are not affected.
“Thankfully, most of our customers were not affected. While it is a relief that fewer than 5% of our total transactions may have been impacted, that in no way diminishes our great concern for those affected,” Spec’s said in a statement published on its website.
The company’s representatives have told the Houston Chronicle that fewer than 550,000 customers and Spec’s employees are impacted.
They’ve clarified that the security hole exploited by the cybercriminals was patched. The malware used to exfiltrate data has been removed and cash registers at affected locations have been replaced.
Spec’s spokeswoman Jenifer Sarver told the Houston Chronicle that it was a sophisticated cyberattack by a group that went to great lengths to ensure that it could not be identified.
“It took professional forensics investigators considerable time to find and understand the problem then make recommendations for Spec’s to fully address and fix them,” Sarver said.
Evidence has been provided to the US Secret Service. There’s no indication that this was an insider breach.
Spec’s advises customers to place a fraud alert on their files with the major credit bureaus. In addition, all those who have made purchases at one of the 34 locations between October 2012 and March 2014 are being offered one year of free fraud resolution services with AllClear ID.
Starting today, April 2, the firm is launching a hotline at 1-855-731-6017 for those who might have any additional questions regarding the incident.