Target Admits Customer PIN Data Removed but Says It's 'Secure'

[Jake <jake () riskbasedsecurity com>]

http://abcnews.go.com/Business/target-corp-admits-customer-pin-data-removed-maintains/story?id=21348261

Target Corp. said that PIN data was lifted during its massive data
breach, but that it's "confident that PIN numbers are safe and
secure."

"The most important thing for our guests to know is that their debit
card accounts have not been compromised due to the encrypted PIN
numbers being taken," Target said in a statement today about the data
breach that might have affected as many as 40 million customers
between Nov. 27 and Dec. 15.

Earlier this week, a Reuters report said debit card PIN data may have
been compromised, which Target denied. But through "additional
forensics work" on Friday morning, the company confirmed "that
strongly encrypted PIN data was removed."

Target defended its position saying the PIN is encrypted at the keypad
with what is known as Triple DES when a guest uses a debit card in its
stores and enters a PIN.

"The PIN information was fully encrypted at the keypad, remained
encrypted within our system, and remained encrypted when it was
removed from our systems," Target said in its statement on Friday.

"I hope they are right because that information, along with the credit
and debit numbers of millions of Target customers, has been in the
hands of 'very sophisticated' criminals for over four weeks and has
been, and is probably still being, sold in the black markets," said
Adam Levin, chairman and co-founder of Identity Theft 911.

Target said it "does not have access to nor does it store the
encryption key" within its system.

"The PIN information is encrypted within Target's systems and can only
be decrypted when it is received by our external, independent payment
processor," Target said on Friday. "What this means is that the 'key'
necessary to decrypt that data has never existed within Target's
system and could not have been taken during this incident."

Experts believed the PINs might have been compromised because banks
such as JPMorgan Chase decided to limit ATM withdrawals and debit card
purchases of affected Target customers.

Target is reaching out to affected customers after it learned scam
artists posing as company representatives tried to steal more personal
information.

Kiersten Todt, president and managing partner of Liberty Group
Ventures, said it appears that Target took expensive steps to protect
its consumer data.

"Target has obviously done a rigorous forensic analysis and shared
that the encryption technology used to protect PIN data kept it secure
for its customers, so that if the PIN data were stolen it is not
accessible because it was fully encrypted," she said.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.