Target confirmed Friday that encrypted debit card PIN data was stolen in the Nov. 27 through Dec. 15 credit and debit card breach, but the company is "confident that PIN numbers are safe and secure."
"The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken," Target said in a statement.
TARGET STATEMENT, DEC. 27
Our investigation into the data breach incident is continuing and ongoing. While we are still in the early stages of this criminal and forensic investigation, we continue to be committed to sharing the facts as they are confirmed.
While we previously shared that encrypted data was obtained, this morning through additional forensics work we were able to confirm that strongly encrypted PIN data was removed. We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.
To help explain this, we want to provide more context on how the encryption process works. When a guest uses a debit card in our stores and enters a PIN, the PIN is encrypted at the keypad with what is known as Triple DES. Triple DES encryption is a highly secure encryption standard used broadly throughout the U.S.
Target does not have access to nor does it store the encryption key within our system. The PIN information is encrypted within Target's systems and can only be decrypted when it is received by our external, independent payment processor. What this means is that the "key" necessary to decrypt that data has never existed within Target's system and could not have been taken during this incident.
The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken.
MONITOR OR CANCEL
Until now, Target and card-issuing banks have urged customers to monitor their statements for suspicious activity; however, some experts caution the only way to ensure affected customers won't be victimized further is to get a replacement card with a new number.
"Consumers need to take responsibility for their own security," said Mark Lanterman, CEO and chief technical officer of Computer Forensic Services. "If you have used a card at Target during this period of time, cancel it."
40 MILLION ACCOUNTS POSSIBLE
The retail breach is already being hailed as the second-largest in U.S. history, with as many as 40 million credit and debit card users who shopped in stores between Nov. 27 and Dec. 15 affected by the theft.
The investigation into the data breach remains ongoing. Both the U.S. Secret Service and the Department of Justice are involved.