Friday, December 27, 2013

Target: After Initial Denials, Admits PINs Were Obtained

This is not going to make my wife any happier with Target. I've posted two earlier stories, different sources, suggesting that the Target breach included PINs, which Target has steadfastly denied until today.

AP through Yahoo!News is reporting:
Target says customers' encrypted PIN data was removed during the massive data breach that occurred earlier this month.
Previously Target had said that encrypted data was stolen but stopped short of identifying it as PIN numbers. But the company issued a statement Friday that additional forensic work has shown that encrypted PIN data was removed along with customers' names and card numbers.
A PIN number is the personal identification code used to make secure transactions on a credit or debit card.
Data connected to about 40 million credit and debit cards used at Target were stolen between Nov. 27 and Dec. 15. Security experts say it's the second-largest theft of card accounts in U.S. history, surpassed only by a scam that began in 2005 involving retailer TJX Cos. In addition to the encrypted PIN numbers, the stolen data from Target included customer names, credit and debit card numbers, card expiration dates and the embedded code on the magnetic strip on back of the card.
Still, Target said it believes the PIN numbers are still safe because the information was strongly encrypted. The retailer said that PIN information is encrypted within its systems and can only be decrypted when it is received by its external, independent payment processor.
Sure, strongly encrypted. Until "it is received by its external, independent payment processor."

Target continues to tell folks to continue using their credit cards without cancelling and getting new account numbers, at least according to two folks who have asked the question directly. Okay.  

I find it interesting that two sources, one as early as December 20th, or thereabouts, suggested that PINs had been stolen. To date, most folks affected by the theft have not received an e-mail from Target explaining exactly what it going on. My daughter / son-in-law stopped by our neighborhood Target store yesterday and were surprised to see most (all?) shoppers paying in cash. They are used to seeing credit card after credit card in their Portland, Oregon, Target store, so no credit cards being used here at the local Target store caught their eye(s).

No comments:

Post a Comment