Target Denies That Customer PIN Data Stolen During Huge Security Breach

Dec. 25, 2013 — -- This is no holiday at the corporate offices of Target Corp., which is still trying to contain the damage from a far-reaching data breach.

Target, based in Minneapolis, Minn., says it is working "around the clock" to address the concerns of its customers, 40 million of whom had their credit and debit card information exposed when hackers breached the retailers systems between Nov. 27 and Dec. 15. Though Target said the manner of the theft is still under investigation, some experts say malware infected the swipe machines at store registers and likely traveled into Target's payment processor.

In addition to names, account numbers and expiration dates, cybersecurity experts fear the hackers were able to steal encrypted PIN data, thought Target denies it.

"To date, there is no evidence that unencrypted PIN data has been compromised," Target said in a statement. "In addition, based on our communications with financial institutions, they have also seen no indications that any PIN data was compromised."

READ MORE: Target Slapped With Lawsuits After Security Breach

Experts believe the PINs might have been compromised because banks like JPMorgan Chase decided to limit ATM withdrawals and debit card purchases of affected Target customers.

Target is reaching out to affected customers after it discovered scam artists posing as company representatives tried to steal more personal information.

READ MORE: Target Says Be Wary of Phishing Emails

So-called phishing scams are not a surprising development but a worrying one. The phony emails likely have a mock replica of the Target logo and direct victims to a website that asks them to input personal information. Target is not asking for any information online and has said it would put any official communications on its website.

After the holiday, Target will convene another conference call with state attorneys general. Long term the prosecutors are interested in the answers to two questions: When did Target know its data had been hacked compared to when consumers were informed, and was this negligence on Target's part or a sophisticated hack that the best defenses would not have stopped?