Target says some PINs stolen but confident data secure

CARLO ALLEGRI/REUTERS - Sen. Charles Schumer, is pictured through a Target shopping cart, as he holds a news conference about the massive credit card hack that has affected 40 million Target customers.

BOSTON — Target said PIN data of some customers’ bank ATM cards were stolen in a massive cyberattack at the third-largest U.S. retailer, but it was confident that the information was “safe and secure.”

The stolen PIN data was “strongly encrypted” when it was removed from Target’s systems, spokeswoman Molly Snyder said in a statement Friday.

About 40M Target customers’ account data compromised

About 40M Target customers’ account data compromised

Retailer says shoppers who made purchases between Nov. 27 and Dec. 15. could be affected.

Target breach: Five things to know

Target breach: Five things to know

The retailer said Thursday that the data theft may have affected 40 million in-store customers.

More business news

Consumers could face big changes from net neutrality rules

Consumers could face big changes from net neutrality rules

New rules proposed by the government could change how consumers experience media online.

Unions protest Postal Service deal with Staples

Unions protest Postal Service deal with Staples

The Postal Service says it is trying to boost business, but unions worry about privatizing post-office work.

Regulators who scrapped a review of lenders questioned

Regulators who scrapped a review of lenders questioned

Consultants hired to review mortgage servicers were paid $1.9 billion, leading officials to close the inquiry.

More business news

“The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken,” Snyder said.

Target uses the Triple DES encryption standard that can only be unlocked with a digital cryptographic “key” when the PIN data is received by the company’s outside payment processor, she noted. Target has declined to identify its payment processor.

“The ‘key’ necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident,” Snyder said.

Some security experts said that even if the encryption is not broken, cybercriminals can still break the PINs.

“There is potential for gaining access to debit card accounts,” said Shane Shook, an executive with the cybersecurity firm Cylance.

While it is virtually impossible to decrypt a PIN without the digital key to unlock it, Shook said many debit card holders choose easy-to-guess numbers such as 1234. He said that in some investigations he has found that more than 20 percent of PINs could easily be guessed.

Chris Morales, research director with NSS Labs and a security expert who has helped investigate major breaches, said the hackers may be able to crack the PINs on some of the stolen debit cards.

U.S. merchants and banks have refused to adopt technologies used overseas, such as embedding credit cards with computer chips for additional security. Instead, PINs are used to secure accounts, leaving them more vulnerable to theft.

“PINs are not secure,” Morales said.

Madeline Aufseeser, a credit card analyst with research firm Aite Group, said she does not believe the hackers could unscramble the PINs, but still advises Target customers whose accounts have been compromised to replace their cards immediately.

“Smart consumers are calling their banks and getting them reissued,” she said. “Better safe than sorry.”

Target has said little about how the cybercrooks accessed its network or stole the data in the attack, which breached 40 million payment card numbers at unprecedented speed.

The attack began Nov. 27, the day before the Thanksgiving holiday, and continued until Dec. 1, making it the second-largest data breach in U.S. retail history. The largest breach against a U.S. retailer, uncovered in 2007 at TJX, led to the theft of data from more than 90 million credit cards in about 18 months.

News of the breach at Target has hurt the retailer’s reputation and stock price. Target’s consumer perception scores dropped to their lowest level since 2007 after the breach, according to a survey of 15,000 people by YouGov BrandIndex, which tracks thousands of brands around the world.

The Minneapolis-based retailer’s shares have fallen about 2.3 percent since Dec. 18, when news of the cyberattack broke, while the Standard & Poor’s 500 index has risen 1.7 percent during the same period. Target shares closed at $62.15 Friday, down 0.5 percent.

— Reuters

 
Read what others are saying