Making statements like "we don't store credit-cards" and "no credit card data was breached" are feel good statements to minimize brand impact. I find them difficult to accept and a bit disingenuous. How do they know their logs were not modified? Are they sure the attacker didn't insert their own markup or JavaScript to hijack the login or payment form or present a fake payment page? That type of attack can be done via SQLi, XSS Type 2, and a number of other vectors. I understand where they are at & I've been there, but when I was there, I recognized that sometimes there are no answers and all that can be done is to apologize and tell people to change their passwords and watch out for unauthorized charges.