After the massive Target security breach that affected millions of customers, the retailer seems more concerned with its image than with keeping customers out of the dark.
That much became clear on Christmas Day, when Target appeared to deny a Reuters report that claimed the thieves made off with encrypted bank PINs. In reality, Target’s “denial” was anything but. Read closely, and you’ll find a carefully-worded public statement that doesn’t actually refute what Reuters wrote.
Here’s the key piece of the Reuters story:
The hackers who attacked Target Corp and compromised up to 40 million credit cards and debit cards also managed to steal encrypted personal identification numbers (PINs), according to a senior payments executive familiar with the situation.
The important word here is “encrypted.” If the hackers did steal encrypted PINs, it’d be kind of like stealing a safe without having the combination. Encryption is isn’t always hack-proof, so it’s worth knowing when encrypted personal data gets into the wrong hands. For this reason, tech firms routinely tell users to change their passwords after a security breach, even when the stolen passwords are encrypted.
Target’s denial, as reported by ABC News and others, deftly avoids the question of whether the hackers stole encrypted PINs (emphasis mine):
To date, there is no evidence that unencrypted PIN data has been compromised.
That’s great, but Reuters never said anything about unencrypted PIN data. This is a classic example of PR misdirection. The statement continues:
In addition, based on our communications with financial institutions, they have also seen no indications that any PIN data was compromised.
Now, we have another important word to deal with. Target says that no PIN data has been “compromised,” which suggests that the criminals haven’t been able to crack the encrypted PINs and clean out shoppers’ bank accounts. Again, that’s great news, but Reuters never reported that customers’ bank accounts had been compromised, only that encrypted data had been stolen.
The funny thing is that if you actually read Reuters’ report, you get the pleasure of watching Target PR squirm:
Target spokeswoman Molly Snyder said “no unencrypted PIN data was accessed” and there was no evidence that PIN data has been “compromised.” She confirmed that some “encrypted data” was stolen, but declined to say if that included encrypted PINs.
Target appears unwilling to address the issue of stolen encrypted PINs, and it’s easy to guess why: The more cards that get replaced, the greater the cost to banks, which may try to recoup those costs from Target. So far, Chase is the only bank that is replacing all compromised debit and prepaid cards.
Sadly, several other publications (TIME included) didn’t pick up on these nuances. They merely reported Target’s statement as a straight-up denial, casting doubt on Reuters and its “senior payments executive” source. In other words, the misdirection worked pretty well.
Update: On Friday, two days after the Reuters report, Target confirmed that encrypted PINs were stolen in the breach after all.
(MORE: How Easy Is It For Hackers To Get Your Information?)