Since Target’s giant data security breach came to light last week, there’s been much discussion about whether thieves got the critical PINs for debit cards, which would make the stolen cards much more vulnerable to cloning and fraud.
The answer is yes.
Target Corp. confirmed Friday that the crooks made off with personal identification numbers (PINs). However, the company said the numbers were “strongly encrypted,” and insisted that customers’ debit card accounts have not been compromised because of the theft of encrypted PIN numbers.
“We remain confident that PIN numbers are safe and secure,” company spokeswoman Molly Synder said in a statement. “The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.”
The Minneapolis-based retail giant said it doesn’t store or have access to the encryption key in its systems.
“The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processors,” Synder said. “What this means is that the ‘key’ necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident.”
Target did not say how many PINs were taken.
The high-profile theft hit Target during the important year-end shopping season. It was carried out with malicious software that somehow got onto the point-of-sale terminals in Target’s U.S. stores where shoppers swipe their cards, and exposed the credit- and debit-card information of 40 million people. The theft affected nearly everyone who used a card to pay for merchandise at Target between Nov. 27 and Dec. 15.
The 19-day breach, which was caught relatively quickly, is among the largest recorded data security breaches in the country.
The company said it’s still in the early stages of a “criminal and forensic investigation.”