There were big fears a plenty once the news broke about US Retailer Target being hit with a major data breach. Potentially 40 million customers had their data exposed during the peak of the holiday shopping season. One of those fears was that the thieves had captured not just credit card numbers and expiration dates, but also PIN numbers. After making a statement yesterday that PIN numbers were not stolen, Target backtracked today and said, yes PIN data was stolen.
Here’s an excerpt from Target’s communication on the PIN issue (the bold face is Target’s):
While we previously shared that encrypted data was obtained, this morning through additional forensics work we were able to confirm that strongly encrypted PIN data was removed. We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.
To help explain this, we want to provide more context on how the encryption process works. When a guest uses a debit card in our stores and enters a PIN, the PIN is encrypted at the keypad with what is known as Triple DES. Triple DES encryption is a highly secure encryption standard used broadly throughout the U.S.
Target does not have access to nor does it store the encryption key within our system. The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor. What this means is that the “key” necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident.
If you shopped with a debit card or credit card that contains a PIN number at Target during the period of November 27 through December 15, 2013, you should think about changing your PIN number.
The biggest concern here is that those who purchase these stolen cards that are already available on the black market can use PIN data with the card to take cash out of ATMs. The theft which certainly was timed to hit during the busiest shopping time of the year in the US is having major ramifications for Target, its customers and banks. Some banks have placed limits on their customers credit cards if they shopped at Target during the period in order to protect those customers and reduce the bank’s liability.
The story is far from over and as the investigation is ongoing and obviously fast moving, we’ll hear more in the coming days. Combined with the shipping woes that some experienced this holiday season, I would imagine we will see some interesting shifts in shopping and shipping patterns next holiday season in the US.