Reports of Stolen PINs Add to Target’s Security Headache

Source: Kevin Dooley / Flickr

The Christmas holiday is over, but Target (NYSE:TGT) is far from finished navigating its security breach drama. After already suffering struggling sales in what is considered the most lucrative time of the year for retailers, a major blow came to the Minneapolis, Minnesota-based retailer last week when it discovered that hackers stole data from as many as 40 million cards used at Target stores during the first three weeks of the holiday shopping season. Target has now offered free credit monitoring to consumers, promised those affected they wouldn’t be responsible for fraudulent charges, and has extended discounts. But what’s done is done, and now some are even saying that Target hackers have their hands on encrypted bank PINs, only adding to the widespread alarm.

According to Reuters, a senior payments executive familiar with the situation told reporters Tuesday that the hackers who attacked Target also managed to steal encrypted personal identification numbers. This would be problematic for consumers because having access to the codes gives thieves the ability to make fraudulent withdrawals from consumer bank accounts, further exasperating the mess already created by the security breach.

However, a Target spokesperson denied reports of PIN theft and said in a statement that same day, “To date, there is no evidence that unencrypted PIN data has been compromised. In addition, based on our communications with financial institutions, they have also seen no indications that any PIN data was compromised. Our priority continues to be the security of our guests and we are working around the clock to address this issue.”

So, Target has been quick to maintain that no “PIN data, whether encrypted or unencrypted, was compromised” during the security breach, but actions by major banks still call into question what they believe really happened in those three weeks that the retailer suffered the data theft. Reuters reports that the U.S. Secret Service and the Justice Department are now on the case, but banks like JPMorgan Chase & Co. (NYSE:JPM) and Santander Bank have lowered limits this week on how much cash customers can take out of teller machines and spend at stores, meaning they might be worried about PINS falling into the hands of criminals.

According to security experts, it is highly unusual for banks to reduce caps on withdrawals and Avivah Litan, a Gartner analyst who specializes in cyber security and fraud detection, explains that, “That’s a really extreme measure to take. They definitely found something in the data that showed there was something happening with cash withdrawals.” So for now, consumers will just need to wait and see what the investigators on the case can find.

Experts and executives are reportedly meeting around the clock to help get to the bottom of the issue, consistently reiterating that guests will bear no liability for any fraudulent charges as a result of the breach, but as the second biggest data theft suffered by a retailer to date, it is clear that the investigation will not be a short one, and Target is already facing class-action lawsuits and a number of other similar legal actions. The mayhem will continue past the Christmas holiday as shoppers try to make returns and take advantage of post-Christmas deals, but recent sales figures show that still, not as many consumers will be walking into Target stores as the retailer would like.

More From Wall St. Cheat Sheet: