Target confirmed this morning that encrypted PIN data was stolen in the Black Friday data breach that exposed 40 million accounts to fraud.
Spokesperson Molly Snyder said the ongoing forensics investigation confirmed that PIN data was accessed as well, contrary to previous claims made by the retail giant.
“We remain confident that PIN numbers are safe and secure,” Snyder said in a statement. “The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.”
The breach was reported Dec. 18 by website Krebs on Security and the company later confirmed that hackers had access to the company’s network starting the day before Thanksgiving until Dec. 15.
Since the breach, further reports from blogger Brian Krebs have surfaced that debit and credit card numbers stolen from Target have been seen for sale on underground forums by the millions. Krebs identified one such underground retailer as Rescator, a cards dealer operating on a Russian forum lampeduza[.]la.
The fear is that if the attackers have the PIN data and are able to crack the encryption securing those credentials, they will be able to clone debit cards and steal money from ATM machines.
Target, meanwhile, said it does not have access to the encryption key used to secure the PIN data, nor was it stored on its systems.
“The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor,” Snyder said. “What this means is that the ‘key’ necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident.”
Snyder said PIN data is encrypted at a retail location’s keypad with Triple-DES encryption and that data remains encrypted over the wire until it reaches its payment processor. Attackers would have to have compromised the point-of-sale system and intercepted the PIN data before it is encrypted in order to have accessed it.
“The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken,” Snyder said.
Target has also brought in the U.S. Secret Service and U.S. Dept. of Justice to investigate the breach, along with an unnamed third-party computer forensics firm. On Monday, state attorneys general met via conference call with Target general counsel Tim Baer and plan a follow up call Jan. 6. The state AGs were made aware of a number of phishing and other scams in circulation regarding stolen Target data and informed consumers that Target will launch a dedicated resource on its corporate website that will host information pertinent to the breach.
The breach affects only those customers who shopped at physical Target locations, and consumers nationwide are affected; online shoppers at Target.com apparently are not impacted. The attackers made off with track data, or personal information stored on the magnetic strips on credit cards.
Reuters, meanwhile, reported on Tuesday that Santander Bank and JPMorgan Chase lowered the limits on how much cash can be withdrawn from ATMs, an indication, experts said, that the PINs were stolen as well.