A Target official has confirmed that encrypted PIN number data was included in a breach that affected millions. Within the first three weeks of December, hackers obtained credit and debit card information for nearly 40 million Target shoppers.
Officials said the hackers gained access to the data on November 27. The breach continued until December 15. On December 19, Target confirmed up to 40 million customers’ personal credit and debit card information was compromised.
The breach is currently under investigation by the US Justice Department and Secret Service. However, neither agency has commented on their progress. Representatives with Target describe the attack as a “sophisticated” operation.
Reuters reports that a “senior payments executive” confirmed the data obtained by hackers included encrypted Personal Identification numbers.
Target spokeswoman Molly Snyder confirmed “encrypted data” was included in the breach. She said the hackers did not have access to unencrypted PIN data:
“The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.”
Cyber security expert Avivah Litan said several banks, including JPMorgan Chase & Co., have reduced caps on ATM withdrawal limits. Litan said cap reductions are “a really extreme measure” that would not be imposed unless “something happened with cash withdrawals.”
Daniel Clemens, another cyber security expert, said the hackers may be able to unscramble the data, despite Target’s PIN number encryption system. Clemens said it is difficult to assess whether the system was infallible.
The Target incident is the second-largest data breach in retail history. In 2007, TJX Cos Inc. announced that credit card information was stolen from 90 million customers over a period of 18 months.
While Target has confirmed PIN numbers were included in the breach, they insist the encrypted data will be of no use to the hackers.
[Image via Wikimedia]