One major U.S. bank fears that the thieves will be able to crack the encryption code and make fraudulent withdrawals from consumer bank accounts, said the executive, who spoke anonymously.
Target spokeswoman Molly Snyder said “no unencrypted PIN data was accessed” and there was no evidence that PIN data has been “compromised.” She confirmed that some “encrypted data” was stolen, but declined to say whether that included encrypted PINs.
The No. 3 U.S. retailer said last week that hackers stole data from as many as 40 million cards used at Target stores during the first three weeks of the holiday shopping season.
Target has not said how its systems were compromised, although it described the operation as “ sophisticated.” The U.S. Secret Service and the Justice Department are investigating. Officials have declined to comment.
The attack could end up costing hundreds of millions of dollars, but it is unclear so far who will bear the expense.
While bank customers typically are not liable for losses because of fraudulent activity on their credit and debit cards, JPMorgan Chase & Co. and Santander Bank said they have lowered limits on how much cash customers can take out of teller machines and spend at stores.
The unprecedented move has led to complaints from consumer advocates about the inconvenience it caused. But sorting out account activity after a fraudulent withdrawal could take a lot more time and be worse for customers.
Security experts said it is highly unusual for banks to reduce caps on withdrawals, and the move likely reflects worries that PINs have fallen into criminal hands, even if they are encrypted.
While the use of encryption codes might prevent amateur hackers from obtaining the digital keys to customer bank deposits, the concern is that it might not stop the kind of sophisticated cyber criminal who was able to infiltrate Target.