According to a statement published by the company, the attack apparently began on October 21, 2012, and may have continued through March 20, 2014. The company didn't say when they first found out about it, but according to the Houston Chronicle, indications that a breach might have happened date back to last year.
It seems that those indications came from banks and credit card companies who discovered the problem before the company itself.
"This was a very sophisticated attack by a hacker or hackers who went to great lengths to cover their tracks," the company spokeswoman Jenifer Sarver said. "It took professional forensics investigators considerable time to find and understand the problem then make recommendations for Spec's to fully address and fix them."
The company also claims that they didn't notify affected users sooner because federal investigators had asked them not to share details of the breach with the public. Still, the question remains why exactly it took so long to spot the breach.
The company has discovered that systems in 34 of their 165 stores were compromised (go here for the complete list), and that the compromised information includes payment card information (customer's name, card number, expiration date, security code) and check information (customer's bank account number, bank routing number, date of birth and/or driver's license number).
“Thankfully, most of our customers were not affected. While it is a relief that fewer than 5% of our total transactions may have been impacted, that in no way diminishes our great concern for those affected,” Spec’s said in the statement.
According to Sarver, the security issue that made the breach possible has been resolved, and that the company has replaced affected cash registers and removed the malware.
The criminal investigation lead by the US Secret Service is ongoing, as well as that mounted by the forensic investigator hired by the company. Spec's has also hired a Qualified Security Assessor to review their systems, and has worked with several cyber security firms to strengthen their security against future attacks.
Potentially affected customers will received one year of free fraud resolution services, and are advised to put a fraud alert on their file and to review their account statements.