Target: Customers' Encrypted PINs Were Obtained
ATLANTA (CBS/AP) — Target said Friday that debit-card PIN numbers were among the financial information stolen from millions of customers who shopped at the retailer earlier this month.
The company said the stolen personal identification numbers, which customers type in to keypads to make secure transactions, were encrypted and that this strongly reduces risk to customers. In addition to the encrypted PINs, customer names, credit and debit card numbers, card expiration dates and the embedded code on the magnetic strip on back of the cards were stolen from about 40 million credit and debit cards used at Target between Nov. 27 and Dec. 15.
Security experts say it's the second-largest theft of card accounts in U.S. history, surpassed only by a scam that began in 2005 involving retailer TJX Cos.
Target said it doesn't have access to nor does it store the encryption key within its system, and the PIN information can only be decrypted when it is received by the retailer's external, independent payment processor.
"We remain confident that PIN numbers are safe and secure," spokeswoman Molly Snyder said in an emailed statement Friday. "The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems." The company maintains that the "key" necessary to decrypt that data never existed within Target's system and could not have been taken during the hack.
The statement reads, in full:
"Our investigation into the data breach incident is continuing and ongoing. While we are still in the early stages of this criminal and forensic investigation, we continue to be committed to sharing the facts as they are confirmed.
While we previously shared that encrypted data was obtained, this morning through additional forensics work we were able to confirm that strongly encrypted PIN data was removed. We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.
To help explain this, we want to provide more context on how the encryption process works. When a guest uses a debit card in our stores and enters a PIN, the PIN is encrypted at the keypad with what is known as Triple DES. Triple DES encryption is a highly secure encryption standard used broadly throughout the U.S.
Target does not have access to nor does it store the encryption key within our system. The PIN information is encrypted within Target's systems and can only be decrypted when it is received by our external, independent payment processor. What this means is that the "key" necessary to decrypt that data has never existed within Target's system and could not have been taken during this incident.
The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken."
However, Gartner security analyst Avivah Litan said Friday that the PINs for the affected cards are not safe and people "should change them at this point."
Minneapolis-based Target said it is still in the early stages of investigating the breach. It has been working with the Secret Service and the Department of Justice.
(TM and © Copyright 2013 CBS Radio Inc. and its relevant subsidiaries. CBS RADIO and EYE Logo TM and Copyright 2013 CBS Broadcasting Inc. Used under license. All Rights Reserved. This material may not be published, broadcast, rewritten or redistributed. The Associated Press contributed to this report.)