Target Admits Customer PIN Data Removed but Says It's 'Secure'

PHOTO: A customer signs on the screen of a credit card machine at a Target store in Tallahassee, Fla., in this Jan. 18, 2008 photo.
Share
Copy

Target Corp. said that PIN data was lifted during its massive data breach, but that it's "confident that PIN numbers are safe and secure."

"The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken," Target said in a statement today about the data breach that might have affected as many as 40 million customers between Nov. 27 and Dec. 15.

Earlier this week, a Reuters report said debit card PIN data may have been compromised, which Target denied. But through "additional forensics work" on Friday morning, the company confirmed "that strongly encrypted PIN data was removed."

READ MORE: Target Slapped With Lawsuits After Security Breach

Target defended its position saying the PIN is encrypted at the keypad with what is known as Triple DES when a guest uses a debit card in its stores and enters a PIN.

"The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems," Target said in its statement on Friday.

"I hope they are right because that information, along with the credit and debit numbers of millions of Target customers, has been in the hands of 'very sophisticated' criminals for over four weeks and has been, and is probably still being, sold in the black markets," said Adam Levin, chairman and co-founder of Identity Theft 911 and Credit.com.

Target said it "does not have access to nor does it store the encryption key" within its system.

"The PIN information is encrypted within Target's systems and can only be decrypted when it is received by our external, independent payment processor," Target said on Friday. "What this means is that the 'key' necessary to decrypt that data has never existed within Target's system and could not have been taken during this incident."

Experts believed the PINs might have been compromised because banks such as JPMorgan Chase decided to limit ATM withdrawals and debit card purchases of affected Target customers.

Target is reaching out to affected customers after it learned scam artists posing as company representatives tried to steal more personal information.

READ MORE: Target Says Be Wary of Phishing Emails

Kiersten Todt, president and managing partner of Liberty Group Ventures, said it appears that Target took expensive steps to protect its consumer data.

"Target has obviously done a rigorous forensic analysis and shared that the encryption technology used to protect PIN data kept it secure for its customers, so that if the PIN data were stolen it is not accessible because it was fully encrypted," she said.

Join the Discussion
You are using an outdated version of Internet Explorer. Please click here to upgrade your browser in order to comment.
blog comments powered by Disqus
 
You Might Also Like...
See It, Share It
PHOTO: Firefighters rescue a woman who got stuck in a chimney in Thousand Oaks, Calif.
Ventura County Fire Department
PHOTO: Apple Pay is demonstrated at Apple headquarters on Oct. 16, 2014 in Cupertino, Calif.
Marcio Jose Sanchez/AP Photo
PHOTO: Up in Ash: Mount Sinabung Erupting
Tibt Nangin/Anadolu Agency/Getty Images
PHOTO: Defendant Jodi Arias testifies about killing Travis Alexander in 2008 during her murder trial in Phoenix, Feb. 20, 2013.
Charlie Leight/The Arizona Republic/AP Photo
PHOTO: Kim Kardashian, Kanye West, their daughter North West and Delphine Arnault attend the Givenchy show as part of the Paris Fashion Week Womenswear Spring/Summer 2015, Sept. 28, 2014 in Paris.
Bertrand Rindoff Petroff/French Select/Getty Images