Target confirms customer PINs were taken in breach, maintains data is safe
But the PINs were encrypted and therefore should be inaccessible to hackers, according to the retailer
IDG News Service - Target has confirmed that hackers obtained customer debit card PINs (personal identification numbers) in the massive data breach suffered by the retailer during the busy holiday shopping season, but says customers should be safe, as the numbers were encrypted.
Some 40 million customer debit and credit cards were affected by the breach, but until now it wasn't clear that PINs were part of the hackers' massive haul.
"While we previously shared that encrypted data was obtained, this morning through additional forensics work we were able to confirm that strongly encrypted PIN data was removed," Target said in a statement on its website Friday. "We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems."
When Target customers use their debit cards, the PIN is secured with Triple DES encryption at the checkout keypads, according to the statement. "Target does not have access to nor does it store the encryption key within our system," it adds. "The PIN information is encrypted within Targets systems and can only be decrypted when it is received by our external, independent payment processor. What this means is that the 'key' necessary to decrypt that data has never existed within Targets system and could not have been taken during this incident."
The company didn't reveal how many PINs were taken, or whether it even knows the total at this point in its probe.
Target is still in the early stages of its investigation into the breach, according to Friday's statement. The company previously said it was working alongside the U.S. Secret Service and Department of Justice on the investigation.
U.S. lawmakers have called for an immediate investigation into Target's security practices. The retailer has said customers will not be forced to pay for any fraudulent charges on their card, and are also eligible to receive credit monitoring at no charge.
Chris Kanaracus covers enterprise software and general technology breaking news for The IDG News Service. Chris' email address is Chris_Kanaracus@idg.com
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Infographic: Converged Infrastructure Benefits This Infographic quantifies the savings organizations are realizing from increased deployment speed, higher availability, and lower annual costs.
- CIOs Deliver Productivity Breakthroughs with Intelligent Digital Signage Retailers have long recognized the influence that digital signage provides over a shopper's point-of-purchase decision making process.
- Going Paperless? Here's What You Need to Think About As makers of some of the world's most popular PDF solutions, we often consult with businesses & governmental agencies that have the goal...
- The Big Data Opportunity for HR and Finance If CEOs, CFOs, CIOs, and CHROs want to drive their businesses forward, they will need to quickly recognize the enormous value of big...
- Top 4 Digital Signage Fails Join RMG Networks for a look at four of the most common reasons digital signage fails in corporate businesses. Learn about strategies to...
- Building Tomorrow's Infrastructure Listen to this podcast to discover how Crider Foods worked with PC Connection to update their IT infrastructure, while maintaining compliance and control. All Cybercrime and Hacking White Papers | Webcasts