14 DAY TRIAL // A security breach carried out on the systems of the Houstonian Hotel, Club and Spa, with a duration of about six months, led to the exposure of the credit card details of at least 10,000 customers.
The management of the retreat was informed by the U.S. Secret Service of a potential attack that targeted the payment processing systems on June 10.
It appears that the perpetrators managed to maintain access to the systems with sensitive information for a period of almost six months, from December 28, 2013 through June 20, 2014.
Jason Love, information technology director at the Houstonian Hotel, told Houston Chronicle that immediate measures were taken to secure the customer data, as soon as they received the news from the U.S. Secret Service.
“As of June 20, we had fully replaced and overhauled the breached systems, further restricted access to all our servers and hired a data forensics firm to help us enhance our digital security,” he said in a statement to the publication.
Given the large amount of time cybercriminals had access to the payment systems, the total number of affected customers is not known. The 10,000 customers notified of the breach are only those that provided contact details during their stay at the luxury retreat; they are advised to contact Nora Harding at 713-812-6982.
Informing the affected customers is generally done with delay because of the forensic investigation that needs to be conducted in order to determine the risk and the parties impacted.
“We wanted to make sure we had all the information before we engaged our members,” said Love.
When the report of the investigation came out on Tuesday, the company filed a criminal report with the Houston Police Department. They also made available credit monitoring services to the affected customers, free of charge, for one year, which can be used to report fraudulent activities on their bank account.
Cybercriminals do not always hurry with selling or using the stolen credit card information. In the case of the P.F. Chang’s point-of sale systems breach, the investigation determined that the clients had used their credit cards at the restaurant between the beginning of March and May 19, and the details were advertised for sale only on June 9.
However, according to Brian Krebs, the company’s restaurants had been leaking the credit card data for a period of nine months, since September 18, 2013, and the total amount of cards compromised may have been around 7.2 million.