ATLANTA (AP) -- Target says customers' encrypted PIN data was removed during the massive data breach that occurred earlier this month, but it's "confident that PIN numbers are safe and secure" despite the security breach.
Previously Target had said that encrypted data was stolen but stopped short of identifying it as PIN numbers. But the company issued a statement Friday that additional forensic work has shown that encrypted PIN data was removed along with customers' names and card numbers.
A PIN number is the personal identification code used to make secure transactions on a credit or debit card.
Data connected to about 40 million credit and debit cards used at Target were stolen between Nov. 27 and Dec. 15. Security experts say it's the second-largest theft of card accounts in U.S. history, surpassed only by a scam that began in 2005 involving retailer TJX Cos. In addition to the encrypted PIN numbers, the stolen data from Target included customer names, credit and debit card numbers, card expiration dates and the embedded code on the magnetic strip on back of the card.
Still, Target said it believes the PIN numbers are still safe because the information was strongly encrypted. The retailer said that PIN information is encrypted within its systems and can only be decrypted when it is received by its external, independent payment processor.
"We remain confident that PIN numbers are safe and secure," said spokeswoman Molly Snyder in an emailed statement. "The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems."
Minneapolis-based Target said it is still in the early stages of investigating the breach. It has been working with the Secret Service and the Department of Justice.
December 27, 2013
Our investigation into the data breach incident is continuing and ongoing. While we are still in the early stages of this criminal and forensic investigation, we continue to be committed to sharing the facts as they are confirmed.
While we previously shared that encrypted data was obtained, this morning through additional forensics work we were able to confirm that strongly encrypted PIN data was removed. We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.
To help explain this, we want to provide more context on how the encryption process works. When a guest uses a debit card in our stores and enters a PIN, the PIN is encrypted at the keypad with what is known as Triple DES. Triple DES encryption is a highly secure encryption standard used broadly throughout the U.S. Target does not have access to nor does it store the encryption key within our system. The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor. What this means is that the “key” necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident. The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken.