- Target hackers allegedly stole encrypted PINS in ‘sophisticated’ operation
- The retailer says decryption key necessary to make PINs usable was not plundered
- Details of 40 million credit and debit card accounts stolen between November 27 and December 15
- Target faces at least 15 lawsuits seeking class action status
Daily Mail Reporter
18:23 GMT, 27 December 2013
21:01 GMT, 28 December 2013
Target has confirmed that customers’ encrypted PIN data was I fact removed during the catastrophic hack that occurred earlier this month.
The company issued a statement Friday that additional forensic work has shown that encrypted PIN data was removed along with customers’ names and card numbers.
But Target says it believes the PIN numbers are still ‘safe and secure’ because the information was strongly encrypted. It says the PIN can only be decrypted when received by its independent payment processor.
Scroll down for video
Revelation: Target says PIN data was stolen in the breach but there was no evidence that it has been compromised because it was highly encrypted
A PIN number is the personal identification code used to make secure transactions on a credit or debit card.
According to the company, the decryption key needed to translate the unintelligible code back into the PIN was not stolen during the breach because it was not in Target’s system.
‘We remain confident that PIN numbers are safe and secure,’ company spokeswoman Molly Synder said in a statement cited by Minneapolis Star Tribune. ‘The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed form our systems.’
Data connected to about 40 million credit and debit cards used at Target were stolen between November 27 and December 15.
Minneapolis-based Target says it is still in the early stages of investigating the breach.
Snyder insisted earlier this week that ‘no unencrypted PIN data was accessed’ and there was no evidence that PIN data has been ‘compromised’.
She confirmed that some ‘encrypted data’ was stolen, but declined to say if that included encrypted PINs.
Denied: Target says there is no evidence PINs were compromised as part of the retail behemoth embarrassing and worrisome Christmastime security breach
One major U.S. bank fears that the
thieves would be able to crack the encryption code and make fraudulent
withdrawals from consumer bank accounts, said the executive, who spoke
on the condition of anonymity because the data breach is still under
The hackers who attacked Target Corp
and compromised more than 40 million credit cards and debit cards also
managed to steal encrypted personal identification numbers, according to
a senior payments executive familiar with the situation.
‘We continue to have no reason to believe that PIN data, whether encrypted or unencrypted, was compromised. And we have not been made aware of any such issue in communications with financial institutions to date,’ Snyder said by email.
‘To date, there is no evidence that unencrypted PIN data has been compromised,’ Target said in a statement
‘In addition, based on our communications with financial institutions, they have also seen no indications that any PIN data was compromised,’ Target said
The No. 3 U.S. retailer said last week that hackers stole data from as many as 40 million cards used at Target stores during the first three weeks of the holiday shopping season, making it the second-largest data breach in U.S. retail history.
Target has not said how its systems were compromised, though it described the operation as ‘sophisticated’.
The U.S. Secret Service and the Justice
Department are investigating. Officials with both agencies have declined
comment on the investigations.
The news comes as the retailer says it has learned of some incidents of scam emails related to its recent data breach.
The company says it is aware of ‘limited instances’ of scam emails, but does not have specific information.
The Minneapolis retailer says it is creating a section of its website for Target’s official communications so customers can verify the authenticity of notes from the retailer.
The attack could end up costing hundreds of millions of dollars, but it is unclear so far who will bear the expense.
CBS News reports the company faces at least 15 lawsuits
seeking class action status as a result of the cyber-attack.
The suits were filed by people who claim their information
was stolen, and they allege Target either failed to properly secure the
customer data, did not promptly notify customers of the breach or
But so little information disclosed so far about the breach,
it is unclear whether the plaintiffs will be able to prove their allegations.
Hacked: The hackers who attacked Target and compromised more than 40 million credit cards and debit cards also allegedly managed to steal encrypted personal identification numbers
Meanwhile, Democratic U.S. Senators, Richard Blumenthal of
Connecticut and Chuck Schumer of New York, have asked the U.S. Federal Trade
Commission to investigate the breach.
‘If Target failed to adequately protect customer
information, it denied customers the protection that they rightly expect when a
business collects their personal information,’ Blumenthal said in a letter to
FTC Chairwoman Edith Ramirez today.
‘Its conduct would be unfair and
bank customers are typically not liable for losses because of
fraudulent activity on their credit and debit cards, JPMorgan Chase
& Co and Santander Bank said they have lowered limits on how much
cash customers can take out of teller machines and spend at stores.
unprecedented move has led to complaints from consumer advocates about
the inconvenience it caused from the late November Thanksgiving holiday
into the run-up to Christmas.
But sorting out account activity after a
fraudulent withdrawal could take a lot more time and be worse for
JPMorgan has said it was able to reduce inconvenience
by giving customers new debit cards printed quickly at many of its
branches, and by keeping branches open for extended hours.
spokeswoman was not available for comment today.
experts said it is highly unusual for banks to reduce caps on
withdrawals, and the move likely reflects worries that PINs have fallen
into criminal hands, even if they are encrypted.
‘That’s a really
extreme measure to take,’ said Avivah Litan, a Gartner analyst who
specializes in cyber security and fraud detection. ‘They definitely
found something in the data that showed there was something happening
with cash withdrawals.’
Litigation: Target reportedly faces at least 15 lawsuits seeking class action status
While the use of encryption codes may prevent amateur hackers from obtaining the digital keys to customer bank deposits, the concern is the coding cannot stop the kind of sophisticated cyber criminal who was able to infiltrate Target for three weeks.
Daniel Clemens, CEO of Packet Ninjas, a cyber security consulting firm, said banks were prudent to lower debit card limits because they will not know for sure if Target’s PIN encryption was infallible until the investigation is completed.
As an example of potential vulnerabilities in PIN encryption, Clemens said he once worked for a retailer who hired his firm to hack into its network to find security vulnerabilities.
He was able to access the closely guarded digital ‘key’ used to unscramble encrypted PINs, which he said surprised his client, who thought the data was secure.
In other cases, hackers can get PINs by using a tool known as a ‘RAM scraper’, which captures the PINs while they are temporarily stored in memory, Clemens said.
The attack on Target began on November 27, the day before the Thanksgiving holiday and continued until December 15.
Banks that issue debit and credit cards learned about the breach on December 18, and Target publicly disclosed the loss of personal account data on December 19.
On December 21, JPMorgan, the largest U.S. bank, alerted two million of its debit cardholders that it was lowering the daily limits on ATM withdrawals to $100 and capping store purchases with their cards at $500.
On Monday, the bank partly eased the limits it had imposed on Saturday, setting them at $250 a day for ATM withdrawals and $1,000 a day for purchases.
(The usual debit card daily limits are $200 to $500 for cash withdrawals and $500 for purchases, a bank spokeswoman said last week.)
On Monday, Santander – a unit of Spain’s Banco Santander – followed suit, lowering the daily limits on cash withdrawals and purchases on Santander and Sovereign branded debit and credit cards of customers who used them at Target when the breach occurred.
Santander did not disclose the new limits, but said it was monitoring the accounts and issuing new cards to customers who were affected.
The largest breach against a U.S. retailer, uncovered in 2007 at TJX Cos Inc, led to the theft of data from more than 90 million credit cards over about 18 months.