Hey Upset, This is a very serious situation and could exposes you to identity theft now and in the future depending on the information being displayed. I know enough about the standards and laws to tell you that this should have been fixed immediately. This is not a Tier 4 tech support issue; it should be top priority for the company. I think the US is a bit of a sue happy nation, so I don't say this lightly, but this is certainly a time when you should get a lawyer.
If you cannot afford a lawyer then maybe your State Attorney General may be able to help. Or you could try to find a Legal Aid office.
You need to get proof that this is going on. You mentioned another customer notified you. Maybe they can help gather it. Maintain a log of all communication with Hughes including numbers, names, date/time.
When speaking on the phone record the conversations. To be legally safe you should notify the other party that you are recording the call. If they do not want to be recorded tell them that you wish to speak to someone who will allow it. Unless you are speaking to the president of the company and they tell you they do not want to be recorded then do not give up. This is normally a very fast track to the legal department where your issue will be addressed.
Any company that stores credit card data must maintain PCI compliance.
There are steps that a company should take when a breach has occurred. Step one is isolate the system. If the system is online it has obviously not been isolated. If credit card data has been shared then the major credit companies such as Visa, Mastercard, etc should be notified. I know the Visa contact is: Visa Fraud control (650) 432-2978 firstname.lastname@example.org
The fact that Hughes has known for three months and have not acted is inexcusable!