U.S. Sen. Robert Menendez talks during a news conference outside of a Target store, Thursday, Dec. 26, 2013, in Jersey City, N.J. (AP PHOTO/JULIO CORTEZ)

Earlier this month, Target disclosed that 40 million credit cards used at its retail locations were compromised in the second largest retail data breach in U.S. history. Now the company, its customers and even hackers selling the stolen credit card information are dealing with the fallout, and everyone — with the possible exception of the criminals who pulled off the stunt and Brian Krebs, who broke the story and is flexing his cyber security bona fides on the Target crime beat — is worse off. Here's a quick roundup of how the Target debacle is affecting every identifiable party involved. 

The Customers: Bank PINs may have been stolen

Target customers were, to put it lightly, disappointed to learn that their credit card information was compromised during the busiest shopping season of the year. Making matters worse for consumers, banks enacted an unorthodox withdrawal and spending cap on debit cards due to the scope of the crime — and possibly because the theft may be even more severe than Target is reporting. According to Reuters, a source familiar with the situation revealed that whoever stole the credit card info also nabbed encrypted personal identification numbers (PINs). The theft of encrypted data would increase the scope of the crime significantly, as hackers could unscramble the encrypted code and use it to withdraw funds from victims' accounts. This breach would help explain why banks would take the drastic measure of restraining use of ATM cards. Reuters elaborates: 

Daniel Clemens, CEO of Packet Ninjas, a cyber security consulting firm, said banks were prudent to lower debit card limits because they will not know for sure if Target's PIN encryption was infallible until the investigation is completed. As an example of potential vulnerabilities in PIN encryption, Clemens said he once worked for a retailer who hired his firm to hack into its network to find security vulnerabilities. He was able to access the closely guarded digital "key" used to unscramble encrypted PINs, which he said surprised his client, who thought the data was secure.

Target has denied that any unencrypted PIN information was stolen, though spokeswoman Molly Snyder did say that some "encrypted data" was accessed,  adding, "We continue to have no reason to believe that PIN data, whether encrypted or unencrypted, was compromised. And we have not been made aware of any such issue in communications with financial institutions to date." 

Target: Called out for negligence

Though Target has made an effort to ease the burden on affected customers, many are unimpressed by their response. Shoppers — some of whom have taken up a class-action lawsuit against the retailer — received a paltry 10 percent discount for their troubles, in addition to free credit-monitoring services. Target lost customers, and is cooperating with the Department of Justice investigation of the breach, though it says it is not being investigated itself. 

The store has been criticized by lawmakers, as well. Senator Robert Menendez accused the chain of caring about "the bottom line" over its patrons and urged the Federal Trade Commission to issue a harsh punishment to the company, saying that "people need to know that they aren’t going to get ripped off shopping, either by silent hackers or by the merchants themselves." Senator Richard Blumenthal also chimed in, writing in a letter to the FTC that “given the scope and duration of Target’s recent data breach, it appears that Target may have failed to employ reasonable and appropriate security measures to protect personal information." The senators hope the FTC will look into security measures across retail shops in general, dragging Target to the center of a larger campaign. 

The Hacker: Tracked down and exposed 

Krebs took it upon himself to track down at least one vendor of the private data, and did so in a spectacularly intricate fashion. The cyber security expert details the virtual chase on his blog, where he outs Ukrainian hacker Andrew Hodirevski for manning the site rescator.la, which has been selling data stolen during the Target breach. Krebs tracked down Hodirevski, known online as Rescator, by looking up personal information Rescator has offered about himself on the web, including a braggy confession that served as an administrator of the defunct hacker forum darklife.ws. Photos of Helkren, his Darklife nom du guerre, were posted to Darklife by rival hackers. Krebs retrieved the images, along with some of Helkren's user names across other sites, and matched them to social media profiles linked to Hodirevski. Krebs did not hesitate to post some (fairly embarrassing) information culled from the social media sites to his blog — like a list of his goals, including world domination — as well as an IM conversation he had with a contact (kaddafi.me) who works with Hodiresvki. The sting is about as hacker-nerdy as you can would hope: 

(2:05:17 PM) kaddafi.me: What’s all the commotion about Rescator anyways?

(2:05:20 PM) krebs//: well i have a story about him going up tomorrow

(2:05:23 PM) kaddafi.me: Did you even notice other shops are selling same shit?

(2:05:32 PM) krebs//: sure

(2:05:46 PM) krebs//: but I’m not looking at other shops right now

(2:06:05 PM) kaddafi.me: Well you should )

(2:06:10 PM) krebs//: in time 

Eventually, kaddafi.me offered Krebs a $10,000 bribe not to run the story, and we can imagine he's not super pleased that Krebs did.