The cybercrooks behind Target’s data breach made off with the personal identification numbers of millions of customer debit cards, contrary to the company’s initial report.
The Minneapolis retail giant on Friday confirmed that PINs were stolen but added in an e-mailed statement that the numbers were “strongly encrypted” and the debit card accounts have not been compromised. Despite their theft, the PINs are still “safe and secure,’’ Target said.
Target acknowledged the breach Dec. 19 after an IT security blogger reported that customer names, credit and debit card numbers, expiration dates and CVV codes were stolen from the company. In the days that followed, Target repeatedly said PINs weren’t compromised or affected.
PINs hold special value for card thieves as they make it easy to quickly cash out a card and drain an unsuspecting victim’s checking account.
Company spokeswoman Molly Snyder said in a statement that “the ‘key’ necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident.”
The company declined to elaborate.
Target’s confidence in the PIN encryption is likely justified, said several data security experts interviewed by the Star Tribune. PIN encryption technology is “pretty rock solid,” said Jacob Ansari, a forensics investigator at 403 Labs LLC in Brookfield, Wis.
Data specialists cautioned, however, that no security is perfect. It’s possible to crack encryption using so-called brute force methods, said Kevin Mandia, CEO of cybersecurity firm Mandiant Corp. in Alexandria, Va.
Tough PIN encryption might stop a thief from running to the ATM, but it doesn’t offer protection against stolen debit cards being used for fraud online, and it doesn’t prevent debit cards from being run as credit cards without the PIN.
PIN encryption also doesn’t address the credit card information pilfered during the cyberattack.
The 19-day breach, which was caught relatively quickly, is among the country’s largest recorded data security breaches. It exposed the credit and debit card information of 40 million people who paid with plastic at U.S. Target stores between Nov. 27 and Dec. 15.
The stolen information included all types of credit and debit cards, including Target’s own Redcard.
Target is still trying to determine how the attack happened. What is known is that malicious software infected the point-of-sale terminals in the company’s U.S. stores, where shoppers swipe their cards. The intrusion remains under investigation by the Secret Service, the Justice Department, Target and a third-party forensics team.
The company said it’s still in the early stages of a “criminal and forensic investigation,” and is not under investigation itself.
Target has been hit with more than a dozen lawsuits across the country from angry shoppers who have accused the company of lax security that failed to protect their sensitive financial information.
While the origin of the attack remains a matter of speculation, Mandia, the cybersecurity expert, suspects the Target attack originated outside the country.
“Almost every attack of consequence, like the one at Target, came out of Russia,” said Mandia, who has been responding to such attacks for two decades. “I know of very few exceptions.”
An attack from outside the U.S. makes the most sense, Mandia said, because there’s less risk of being prosecuted. “We just don’t have the jurisdictional reach back.”