Target confirms hackers stole PINs, but should be unable to decrypt them

Target executives said Friday that the hackers who hit the retail chain just after Thanksgiving did indeed steal personal identification numbers but claims that the thieves will be unable to decrypt that data.

Information from to 40 million credit and debit cards was put at risk as a result of the massive security breach, which stretched over two weeks.

“We remain confident that PIN numbers are safe and secure,” Target said in a press release. “The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.”

In the encryption process, when a customer uses a debit card and enters a PIN, the PIN is encrypted with Triple DES at the keypad. This encryption process is a highly secure standard used broadly throughout the United States.

“Target does not have access to nor does it store the encryption key within our system,” Target said. “The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor.”

The company asserted in its media statement that it’s unlikely that hackers would be able to withdraw money using stolen debit card information because the “key” necessary to decrypt that data has supposedly never existed within Target’s system and could not have been taken during the breach.

According to CNN, Target did not comment on the identity of its payments processor.

While Target stressed that company officials believe debit card accounts have not been compromised due to the encrypted PIN numbers being taken, customers who shopped at Target when the breach occurred should still contact their banks for more information on replacement cards and changing PIN numbers.

Read the original post at the Dallas Business Journal.