Top 5 Stories


Target Says Stolen PIN Data Can't Be Cracked

03 January 2014

Big-box retailer Target, suffering from a lack of traffic after a massive data breach that affected 40 million, now says the breach resulted in only encrypted PINs being lifted – which are tough to crack, if not virtually impossible. Nonetheless, Target's brand continues to take a hit.

First uncovered by security researcher Brian Krebs, the breach resulted in perpetrator(s) stealing credit and debit card “track data,” which enables the attackers to create (and sell) counterfeit cards. Anyone who swiped a card at a Target store between Nov. 27 and Dec. 15, the busiest shopping time of the year, could potentially be a victim. 

Target has now said that any debit card PIN information is likely safe and secure.

“While we previously shared that encrypted data was obtained, this morning through additional forensics work we were able to confirm that strongly encrypted PIN data was removed,” the company said in a statement. “The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.”

When a guest uses a debit card in our stores and enters a PIN, the company noted, the PIN is essentially encrypted at the keypad with what is known as the Triple DES highly secure encryption standard, used broadly throughout the US.

“Target does not have access to nor does it store the encryption key within our system,” the company said. “The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor. What this means is that the ‘key’ necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident.”

And that, Target said, means that customer debit card accounts cannot have been compromised due to the encrypted PIN numbers being taken.

Details will no doubt continue to dribble out as the retailer continues its investigation, but it’s likely that it will continue to feel the hit on its brand by consumers. The YouGov consumer sentiment index found that in one day, from Thursday Dec. 19 through Friday Dec. 20, Target saw its consumer perception plummet 35 points, more than either Sony PlayStation or Citibank did one week after their high-profile breaches became public.

Despite CEO Gregg Steinhafel's decision to give a 10% discount on most store items over the weekend before Christmas, as well as free credit monitoring services for everyone impacted, “The retailer has reached its lowest consumer perception point since at least June 2007,” YouGov found. “This also marks the first time since that same time that Target has had more negative perception than positive perception.”

This article is featured in:
Data Loss  •  Encryption  •  Identity and Access Management  •  Industry News  •  Internet and Network Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×