December 27, 2013, 10:39 a.m.
Target Corp. said the cyber-crooks who hacked their way to approximately 40 million customer credit and debit card accounts during the holiday season accessed “strongly encrypted” PIN information.
Still, the retailer said Friday that it remains “confident that PIN numbers are safe and secure.”
The PIN data is encrypted as it’s entered by a customer at a keypad at checkout, protected with what’s known as Triple DES encryption, according to Target.
The PIN information stays encrypted within Target’s system and “remained encrypted when it was removed,” the Minneapolis-based company said.
The code can only be cracked when the data is received by Target’s external, independent payment processor, according to the retailer.
“What this means is that the ‘key’ necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident,” the company said Friday.
The retailer didn’t address the possibility that hackers sophisticated enough to execute a break-in during prime shopping season -- lasting from the crazed Black Friday weekend through Dec. 15 -- might be able to outwit the encryption defense.
“The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken,” Target said.
The company said its investigation into the incident is “still in the early stages” and “is continuing and ongoing.”
Phony credit cards made with the stolen information are already being sold on the black market, according to some reports. A senator from Connecticut is calling for a probe into Target’s security infrastructure; several state attorneys general have asked for more information on the hack.
After the breach, Target’s perception among consumers hit its lowest point in more than six years, according to sentiment tracker YouGov BrandIndex.