Target confirms encrypted PIN data stolen

Kevin McCoy | USA TODAY

Hackers who stole data for up to 40 million credit cards and debit cards used in Target stores removed encrypted data with personal identification numbers — but the theft isn't expected to compromise card holder accounts — the retail giant said Friday.

"We remain confident that PIN numbers are safe and secure," said a statement issued by Molly Snyder, a spokeswoman for the company hit by the November-December data breach.

According to the company, Target does not have access to nor does it store the encryption key within its computer systems. When a Target customer uses a debit card in one of the company's stores and enters his or her PIN, the number is encrypted at the keypad with a widely used security program known as Triple DES, the company said.

Triple DES is the common name for the Triple Data Encryption Algorithm, a standard designed to thwart efforts to crack encrypted data. The PIN data can only be decrypted when it is received by the company's external payment processor, Target said.

"What this means is that the 'key' necessary to decrypt that data has never existed within Target's system and could not have been taken during this incident," the company said, adding, "the most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken."

Brian Krebs, a computer security expert whose website first reported news of the data breach, said Target's disclosure means the thieves would have to find a way to break into electronic systems of the payment-processing company that works with the retail chain.

"It would involve a much more elaborate and multiparty compromise," said Krebs.

The hackers theoretically might try to crack the encryption with a so-called brute force attack in which computers use all possible combinations in a bid to determine the correct key, said John LaCour, CEO of PhishLabs, a Charleston, S.C., firm that helps banks and e-commerce companies battle cybercrime. Such a tactic was unlikely to succeed, he said.

The PIN data could also be at risk if it were encrypted with a key that had relatively few characters, making it easier to crack, said Erik Cabetas, managing partner of Include Security, a New York City-based security consultant.

"If you shopped at Target during the time frame (of the data breach) your card is potentially at risk," said LaCour.

Proposed class-action lawsuits filed against the nation's third-largest retailer since the data breach have alleged that thieves might find a way to break the encryption and use the PINs to withdraw money from card holders' bank accounts. A Reuters report earlier this week said one major bank executive voiced similar fear.

Along with the encrypted PIN data, Minneapolis-based Target previously said that data thieves stole customer names, credit and debit card numbers, card expiration dates and the embedded code on the magnetic strip on back of cards used at Target between Nov. 27 and Dec. 15.

Target announced Monday that the Department of Justice is investigating the data theft, which has been called the second largest in U.S. history.