Target has finally acknowledged that personal indentification numbers or PINs of 40 million customers were stolen during the credit cards and debit cards data breach that took place from Nov. 27 through Dec. 15.
Earlier, the retail giant had denied that PINs were stolen and only names of customers and other personal information were stolen by the hackers.
However, on Friday, Target had a different story to tell.
"While we previously shared that encrypted data was obtained, this morning through additional forensics work we were able to confirm that strongly encrypted PIN data was removed. We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems," the company said in a press statement.
"To help explain this, we want to provide more context on how the encryption process works. When a guest uses a debit card in our stores and enters a PIN, the PIN is encrypted at the keypad with what is known as Triple DES. Triple DES encryption is a highly secure encryption standard used broadly throughout the U.S.
"Target does not have access to nor does it store the encryption key within our system. The PIN information is encrypted within Target's systems and can only be decrypted when it is received by our external, independent payment processor. What this means is that the "key" necessary to decrypt that data has never existed within Target's system and could not have been taken during this incident.
"The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken," the company said.
In other words, Target is saying that though the hackers may have managed to get their hands on the PINS, the company believes that the PINs have not been compromised because the PINs were encrypted and cannot be decrypted without the right decryption keys. And, these decryption keys were safe due to the fact that they were not stored on the servers hit by the attack.
So, Target is confident that the PIN numbers that were taken during the incident will remain encrypted and inaccessible.
However, the banks are not so sure. An anonymous source from a major bank disclosed to Reuters that it is possible for hackers to crack the encryption on the PIN numbers. If true, this could prove to be problematic for Target as well as the millions of affected customers who have had their credit and debit card information comprised. In light of this, some US banks such as Santander Bank and JPMorgan Chase & Co have placed reduced limits on the amounts of cash that people can spend on purchases or withdraw from ATM machines. These precautionary measures suggest that the banks involved feel they need to take precautions and cannot rely on Target's assurances that the PINs are safe.
Shares of Target closed down 0.53 percent at $62.15 on the NYSE on Friday.
