In the wake of the massive Target attack that allowed hackers to claim 40 million credit and debit cards and CVV codes in a few weeks, officials with the retail giant have now confirmed that related phishing communications have begun making the rounds.
It is very common for phishers to concoct schemes to scam people impacted in data breaches, particularly because they can capitalize by taking advantage of nerves and paranoia in the midst of a potentially confusing and scary situation.
“We are aware of limited incidents of phishing or scam communications,” according to a post on the Target website. “To help our guests feel confident that what they are hearing from Target is really from us, we are in the process of setting up a dedicated resource on our corporate website where we will post PDFs of all official communications that Target sends to our guests.”
Meanwhile, Target is denying all claims that encrypted personal identification numbers (PINs) were compromised in the attack, despite a Christmas Day Reuters report in which an anonymous “senior payments executive familiar with the situation” indicated otherwise.
“We continue to have no reason to believe that PIN data, whether encrypted or unencrypted, was compromised,” Molly Snyder, a Target spokeswoman, told Reuters by email. “And we have not been made aware of any such issue in communications with financial institutions to date. We are very early in an ongoing forensic and criminal investigation.”
Target has yet to reveal exactly how hackers were able to steal the cards, but several experts have suggested that the cyber crooks compromised the retailer's point-of-sale (POS) devices. Cards have already begun turning up for sale in underground online marketplaces.UPDATE: According to a Friday statement posted on the Target website, further investigations revealed that encrypted PIN data was obtained during the attack. “Target does not have access to nor does it store the encryption key within our system,” according to the release. “The PIN information is encrypted within Target's systems and can only be decrypted when it is received by our external, independent payment processor.”