More than half a million customers at 34 liquor stores owned by Spec's may have had critical financial information stolen in a sophisticated computer scam that persisted for a year and a half, the company announced Friday.

The Houston-based chain, a statewide presence with 155 stores, joins a growing list of high-profile retailers, from Target to Neiman Marcus, that have reported major breaches this year. Those security breakdowns affected more customers, but the Spec's hacking appears to have lasted much longer before being made public.

The company issued a statement saying the breach is believed to have started Oct. 31, 2012, and continued as late as last week. A representative said hints the computer system had been compromised began to surface early last year but that until this week federal investigators had asked Spec's not to divulge details.

"This was a very sophisticated attack by a hacker or hackers who went to great lengths to cover their tracks," spokeswoman Jenifer Sarver said. "It took professional forensics investigators considerable time to find and understand the problem then make recommendations for Spec's to fully address and fix them."

More Information Stores that were compromised Customer information was compromised at 34 Spec's-owned liquor stores statewide. Some of the stores operate as Copperfield Liquors, JJ's Liquors, Cowtown Discount Liquors, Restaurant & Bar Supply, Warehouse Liquors, The Beverage Shoppe and Richard's Fine Wines & Spirits. Houston-area stores affected: 1 12901 Queensbury 1 14110 Stuebner Airline 1 14114 Stuebner Airline 1 1665 South Voss 1 1743 Fry 1 1900 S. Shepherd 1 2545 Kirby 1 5630 Richmond 1 5750 Woodway 1 5818 Memorial 1 8306 Southwest Freeway 1 4665 Garth Road, Baytown 1 1304 West Davis, Conroe 1 17996 FM 529, Cypress 1 13827 Southwest Freeway, Sugar Land 1 10491 Kuykendahl, The Woodlands 1 4747 Research Forest Drive, The Woodlands 1 4775 West Panther Creek, The Woodlands Other affected stores around the state: 1 1600 Texas Ave., College Station 1 3505 Longmire, College Station 1 10529 South Padre Island Drive, Corpus Christi 1 4318 Ayers , Corpus Christi 1 4733 South Alameda, Corpus Christi 1 620 Old Robstown , Corpus Christi 1 6401 Weber, Corpus Christi 1 11411 Gateway Blvd. West, El Paso 1 5100 Montana Ave., El Paso 1 7933 North Mesa, El Paso 1 15540 FM 624, Robstown Closed, but open during the time of the compromise: 1 2230 Buckthorne Place, The Woodlands 1 9420 College Park, The Woodlands 1 4530 Kingwood Drive, Kingwood 1 1219 N. Texas Ave., Bryan 1 4804 Doniphan Drive, El Paso Get answers Spec's has set up the following services for customers who may have been affected by the data breach. Hotline: Spec's customers can call 855-731-6017 for more information. Fraud resolution services: Spec's will provide one year of free fraud resolution services through All ClearID. The services are available at https://specsonline.allclearid.com.

Read More

Rick Dardenne, a Spec's customer who lives in Fort Worth, said he learned his information had been compromised, possibly when he shopped at a Spec's in Kingwood, after receiving a new Amegy Bank card in the mail. He said he called Amegy about two weeks ago and asked if the switch was because he had shopped at Target. The customer service rep told him that there had also been a breach at Spec's.

"I don't like being kept in the dark," said Dardenne. "Target at least communicated with the customers sooner."

'Exceptionally long'

Tim Erlin, director of IT risk strategy at data security firm Tripwire, agreed that the breach "was exceptionally long." He also said that whatever security measures were in place "were clearly ineffective or inadequate."

Sarver said that after receiving alerts from a major lending institution and the company that processes many of its card payments, Spec's brought in private investigators and turned over evidence to the U.S. Secret Service. The breach may have lasted as late as March 20.

"I'm surprised the investigation went on so long without them discovering the root problem," said Erlin, adding that Spec's did the right thing hiring a private investigator after finding out fraud of some kind was taking place.

Neiman Marcus also learned from an outside source there had been fraud, he said, but it took about two months to determine 1.1 million customer cards had been breached. And the Target breach, which affected more than 100 million customers, lasted just a few weeks.

It's possible the scope of the Spec's breach will expand, Erlin said.

The warehouse-size superstore on Smith near downtown was not affected in this case. In addition to several smaller Spec's stores, some of the affected retailers operate as Copperfield Liquors, JJ's Liquors, Cowtown Discount Liquors, Restaurant & Bar Supply, Warehouse Liquors, The Beverage Shoppe and Richard's Fine Wines & Spirits. The list included mostly stores in the Houston area, but also some in Bryan, College Station, Corpus Christi and El Paso.

The exposure may include customers' bank routing numbers, card security codes and other payment card and check information.

Removed malware

Sarver said the compromise affected "an estimated fewer than 550,000" customers and Spec's employees. The company said the breach affected less than 5 percent of Spec's total customer transactions during that period.

"The issue has been resolved and data is no longer being obtained," Sarver said. She said the company replaced cash registers and "disabled and removed malware that was illegally placed on the computer systems."

"It's still an ongoing investigation and we are working on it," said Cynthia Marble, special agent in charge at the Houston field office of the Secret Service. She had no further comment.

Sarver said that as the hunt for the hacker continues, Spec's "has not taken any personnel action, nor based on what we know from the Secret Service do we see any reason to."

Dardenne said that while his is "disappointed," he plans to continue shopping at Spec's.

'It is unsettling'

Outside the Richard's Spirits & Fine Wines on Kirby, other customers did not seem overly upset.

"I'm not outraged, but it is unsettling," said Greg Frisco of Houston. "Just dealing with all the aftermath is frustrating."

Laura Snowden said hackers have stolen her identity in the past and she always tries to use cash.

"Everyone should be concerned, especially with the increasing use of credit cards," she said. "Every large store that sells in bulk has to be a target. "It's happened to Target, Neiman Marcus and now liquor stores. I'm surprised it hasn't happened to Toys R Us yet."

Data theft has been in the news a lot lately, but is not necessarily more common today, Erlin said.

"As an industry, we're getting better at detecting it," he said. "The concerning question is, how many more cases are like Spec's where data is being stolen and we don't know?"