July 09--At least 10,000 customers of The Houstonian Hotel, Club & Spa were exposed in a credit card security breach that lasted nearly six months, officials alerted guests on Tuesday.
The west Houston luxury retreat emailed 10,000 people about the "malicious software attack," which started on December 28, 2013 and continued until June 20, information technology director Jason Love said.
On June 10, the U.S. Secret Service informed the management about the potential breach of its payment processing systems.
"We undertook immediate action to fully secure our customers' data," a news release issued Tuesday said. "As of June 20, we had fully replaced and overhauled the breached systems, further restricted access to all our servers and hired a data forensics firm to help us enhance our digital security."
It is unclear how many transactions or customers were impacted by the hack.
The Houstonian on Tuesday filed a criminal report with the Houston Police Department, but that was nearly four weeks after the hotel was informed of the breach.
Love said the delay was related to the work of the forensic investigators and their report -- which was expected to be completed late Tuesday.
"We didn't have absolute certainty that we had stopped everything," he said. "We wanted to make sure we had all the information before we engaged our members."
It's difficult to know how many customers were impacted, Love added, because people use multiple payment forms -- credit cards, cash, checks and member charges -- for amenities including stays in the posh 289-room hotel, food and valet service. Membership accounts, including the items and services charged to them, were not affected, the news release said.
Receiving a notice just one day earlier may have saved John G. West's VISA card from being misused on July 7. The think-tank vice president and college professor, who lives in the Seattle area, said in March he spent an enjoyable few days at The Houstonian with his wife and kids during his children's spring break.
"I wish they had sent it out a month earlier when they were notified. Maybe my credit card would not have been used fraudulently," West said by phone. "A lot of people's data could be in trouble if it was that many months since it was compromised."
In fairness, he said, he can't be certain that the attempted Wal-Mart purchase in Colorado was connected to the breach in The Houstonian's system.
When he tried to use the card on Monday in Washington state, West's transaction wouldn't go through. That's when he called his credit company and learned of the attempted questionable charge.
Then, on Tuesday afternoon, the notice from The Houstonian landed in his inbox.
In its email to customers, The Houstonian expressed its regrets for the inconvenience and offered one year of complimentary credit monitoring to affected guests.
Customers who did not give the retreat an email address or who did not receive the notice, as well as those with questions or concerns, should contact Nora Harding at 713-812-6982.
Copyright 2014 - Houston Chronicle