Target’s PR nightmare keeps getting worse and worse.
On Friday, the American discount retailer confirmed that hackers stole PIN data during the breach that affected millions of Target customers in November and December. The thieves also made off with more than 40 million credit and debit card numbers, which they’re reportedly unloading in underground markets.
Target’s statement today is a dramatic reversal from its update yesterday, when the company challenged assertions that PIN data was stolen. There were “no indications” that any PIN data was compromised, the retailer said then in a statement.
Now Target is changing its tune.
“While we previously shared that encrypted data was obtained, this morning through additional forensics work we were able to confirm that strongly encrypted PIN data was removed,” said Target spokesperson Molly Snyder in a statement provided to VentureBeat.
The company thinks the actual numbers are secure, however, explaining that it never stored the keys necessary to decrypt the data — Target has a third-party payment processor handles that. Target protects the data using Triple DES encryption, and only the company’s external payment processor hold the decryption keys.
“The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken,” said Snyder.
Should the thieves find a way to crack the encryption, however, they could hypothetically withdraw cash directly from cardholders’ bank accounts. That fear drives several proposed class-action lawsuits against the retailer, which allege that the company failed to adequately safeguard its systems storing customer data.
At least one major bank believes the thieves might make fraudulent withdrawals, according to a Reuters report earlier this week. In response to the Target hack, JPMorganChase and Santander Bank said they’ve lowered the limits on the amount of cash people can remove from their ATMs.
The Secret Service and the U.S. Department of Justice are investigating the Target breach, which the company called “sophisticated.” The retailer has yet to file a formal disclosure of the incident with the Securities and Exchange Commission.