A chain of liquor stores based in Houston, Texas may have leaked as many as 550,000 sets of customer bank and card records after some of its systems were compromised for close to 17 months.
Spec’s, a family-run chain which is apparently the fifth largest wine seller in the US, operates over 165 stores, of which 34 are thought to have been affected by the breach.
These were mostly smaller local stores in the Houston area – the chain, like most things Texan, is known for the jumbo scale of some of its outlets, but the larger superstores do not seem to be affected by the leak.
Data lost includes most things an identity thief might want, ranging from payment card numbers, expiry dates and security codes to dates of birth and driver’s license numbers in some cases.
As in the case of the Neiman Marcus breach, the leak was uncovered from the outside, with banks and credit card companies spotting something was amiss before the store operators themselves were aware.
This led to some customers learning of the problem from their banks some time before the public disclosure of the issue by Spec’s, which was issued on 28 March.
Their statement does not specify when they first learned of the breach, but asserts that it was finally fully cleaned up by 20 March.
With the initial penetration thought to have occurred on 31 October 2012, that’s almost 17 months during which some or all of the 34 stores involved were infected.
Local news reports quote a Spec’s spokesperson as saying that there were suspicions of a problem as long ago as “early last year”, and that they had been asked not to disclose the issue until now by federal investigators.
They also claim that forensic analysis had taken a long time to fully get to grips with what was going on.
This is worrying given how recently the final all-clear was given. When people’s personal data has been leaked, they need to know as quickly as possible, and systems suspected of leaking such data should be locked down immediately rather than kept running until full cleanup can be ensured.
But it seems that in some cases law enforcement prefer to allow crimes to continue beyond their initial detection, to help them track down the perpetrators.
This may feel a little like using innocent future customers as bait, but the crimestoppers will doubtless argue that their misfortune is in the name of the greater good.
The narrow geographical spread of the infections, and being limited to smaller neighbourhood stores, implies the malware may have been planted manually, exploiting some weakness in physical security at the affected locations.
The firm claims to have replaced some cash registers, which may support the theory that they may have been physically compromised.
However they also state that no employees are thought to be involved, and it’s quite possible that the attack was entirely network-based, with the affected stores on a shared network node, or sharing a software or policy weakness which allowed the compromise to take place.
For those worried their data may have been leaked, Spec’s provides a full list of the stores involved, and offers the usual credit monitoring services, in their statement.