Share

Related Stories

  • Target Breach Affecting 40 Million Was Likely an Inside Job
    The US, originator of Black Friday holiday sales and the dubious homeland of in-store, post-Thanksgiving brawls over hot toys (remember Tickle-Me Elmo?), has been hit with the largest retail breach of credit and debit card information of 2013. In fact, at 40 million affected and counting, the security incident at Target may be one of the largest retail breaches ever.
  • Department of Energy Failed to Address Known Cybersecurity Weaknesses
    The US Department of Energy’s failure to address known cybersecurity weaknesses was a direct cause of a July 2013 data breach that affected more than 104,000 individuals, according to federal auditors.
  • Experian: Obamacare, Regulations to Shape Data Breach Landscape
    Despite heightened awareness and media coverage of safe cyber-practices, the number of data breaches both experienced and reported is expected to rise, with no signs of a slowdown.
  • 42 Million Passwords Compromised as Hackers Aim at Cupid Online Dating
    The quest for love is never easy, but a data breach can definitely put a damper on things. Security researcher Brian Krebs has uncovered a large-scale compromise at online dating service Cupid Media, which earlier this year exposed more than 42 million unencrypted passwords and other information to hackers.
  • Data Breaches May Be Vastly Under-reported
    Data breach incidents appear to under-reported, according to a new survey. Amid mounting cybersecurity challenges within US enterprises, nearly six in 10 malware analysts reported they have investigated or addressed a data breach that was never disclosed by their company.

Top 5 Stories

News

Target Says Stolen PIN Data Can't Be Cracked

03 January 2014

Big-box retailer Target, suffering from a lack of traffic after a massive data breach that affected 40 million, now says the breach resulted in only encrypted PINs being lifted – which are tough to crack, if not virtually impossible. Nonetheless, Target's brand continues to take a hit.

First uncovered by security researcher Brian Krebs, the breach resulted in perpetrator(s) stealing credit and debit card “track data,” which enables the attackers to create (and sell) counterfeit cards. Anyone who swiped a card at a Target store between Nov. 27 and Dec. 15, the busiest shopping time of the year, could potentially be a victim. 

Target has now said that any debit card PIN information is likely safe and secure.

“While we previously shared that encrypted data was obtained, this morning through additional forensics work we were able to confirm that strongly encrypted PIN data was removed,” the company said in a statement. “The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.”

When a guest uses a debit card in our stores and enters a PIN, the company noted, the PIN is essentially encrypted at the keypad with what is known as the Triple DES highly secure encryption standard, used broadly throughout the US.

“Target does not have access to nor does it store the encryption key within our system,” the company said. “The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor. What this means is that the ‘key’ necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident.”

And that, Target said, means that customer debit card accounts cannot have been compromised due to the encrypted PIN numbers being taken.

Details will no doubt continue to dribble out as the retailer continues its investigation, but it’s likely that it will continue to feel the hit on its brand by consumers. The YouGov consumer sentiment index found that in one day, from Thursday Dec. 19 through Friday Dec. 20, Target saw its consumer perception plummet 35 points, more than either Sony PlayStation or Citibank did one week after their high-profile breaches became public.

Despite CEO Gregg Steinhafel's decision to give a 10% discount on most store items over the weekend before Christmas, as well as free credit monitoring services for everyone impacted, “The retailer has reached its lowest consumer perception point since at least June 2007,” YouGov found. “This also marks the first time since that same time that Target has had more negative perception than positive perception.”

This article is featured in:
Data Loss  •  Encryption  •  Identity and Access Management  •  Industry News  •  Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×