US retailer Target has disclosed that the credit card PIN numbers taken in the breach were encrypted
US retail giant Target is still reeling from the impact of a massive data breach affecting 40 million credit and debit card accounts, though the company is now emphasising that things are not quite as bad as some might think.
Target publicly acknowledged on 19 December that its US retail stores had been the victim of a data breach.
In the days since, few details on the actual method used by attackers to exploit Target have been officially disclosed, though Target has provided new insight into some of its own security practices.
The Target hack targeted point-of-sale payment systems, including those used by retail consumers to enter their debit card PIN. In order for anyone to use a debit card, a PIN number is required, making the security of the PIN information an extremely critical component of any retailers’ infrastructure.
In a public media update published on 27 December, Target stressed that its customers’ PIN information was strongly encrypted using the Triple Data Encryption Standard (DES).
“The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems,” Target stated.
Going a step further, Target noted that it does not hold the Triple DES encryption keys within its own system and the data can only be decrypted by a payment processor.
“What this means is that the key necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident,” Target stated. “The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken.”
While Target has continued to reassure its customers that it is doing everything in its power to limit the risk, the legal implications of the breach are coming to the surface as well.
Multiple lawsuits have been filed across the United States by Target customers in regards to the credit and debit card information theft.
Target is working to keep Attorney Generals across the United States informed about its activities and the data breach. Target Executive Vice President and General Counsel Tim Baer hosted a call on 23 December with the majority of state Attorneys General about the breach.
“We are committed to keeping the attorneys general informed as the ongoing investigation moves forward and will host a follow-up call with them the week of 6 January,” Target stated.
Are you a security pro? Try our quiz!
Originally published on eWeek.