By Jim Finkle and Dhanya Skariachan
BOSTON/NEW YORK Dec 27 Target Corp said
PIN data of some customers' bank ATM cards were stolen in a
massive cyber attack at the third-largest U.S. retailer, but it
was confident that the information was "safe and secure."
The stolen PIN data was "strongly encrypted" when it was
removed from Target's systems, spokeswoman Molly Snyder said in
a statement on Friday.
"The most important thing for our guests to know is that
their debit card accounts have not been compromised due to the
encrypted PIN numbers being taken," Snyder said.
News of the PIN theft was first reported by Reuters on
Target uses the Triple DES encryption standard that can only
be unlocked with a digital cryptographic "key" when the PIN data
is received by the company's outside payment processor, she
Target has declined to identify its payment processor.
"The 'key' necessary to decrypt that data has never existed
within Target's system and could not have been taken during this
incident," Snyder said.
Some security experts said that even if the encryption is
not broken, cyber criminals can still break the PINs.
"There is potential for gaining access to debit card
accounts," said Shane Shook, an executive with the cyber
security firm Cylance Inc, who has investigated some of the
biggest cyber breaches.
While it is virtually impossible to decrypt a PIN without
the digital key to unlock it, Shook said many debit card holders
choose easy-to-guess numbers like 1234. He said that in some
investigations he has found that more than 20 percent of PINs
could easily be guessed.
Chris Morales, research director with NSS Labs and a
security expert who has helped investigate major breaches, said
the hackers may be able to crack the PINs on some of the stolen
U.S. merchants and banks have refused to adopt technologies
used overseas, such as embedding credit cards with computer
chips for additional security. Instead they use
PINs to secure accounts, which leave them more vulnerable to
"PINs are not secure," Morales said.
Criminals can identify PINs by using online systems some
banks offer which allow customers to access their accounts using
their debit card numbers and PINs, he said.
Madeline Aufseeser, a credit card analyst with research firm
Aite Group, said she does not believe the hackers could
unscramble the PINs, but still advises Target customers whose
accounts have been compromised to replace their cards
"Smart consumers are calling their banks and getting them
reissued," she said. "Better safe than sorry."
Target has said little about how the cyber crooks accessed
its network or stole the data in the attack which breached 40
million payment card numbers at unprecedented speed.
BAD TIMING FOR TARGET
The attack began on Nov. 27, the day before the Thanksgiving
holiday and continued until Dec. 1, making it the second-largest
data breach in U.S. retail history.
The largest breach against a U.S. retailer, uncovered in
2007 at TJX Cos Inc, led to the theft of data from more
than 90 million credit cards over about 18 months.
News of the breach at Target has hurt the retailer's
reputation and stock price.
Target's consumer perception scores dropped to their lowest
level since 2007 after the breach, according to a survey of
15,000 people by YouGov BrandIndex, which tracks thousands of
brands around the world.
"Target's problems may very well continue and that is
unfortunate, as we've been seeing a little bit of a perception
rebound the last two days," YouGov BrandIndex Chief Executive
Ted Marzilli said.
Marzilli said Target's perception scores bottomed out the
day before Christmas and the impact from the latest news could
be less severe now that the holiday shopping rush is over.
The Minneapolis-based retailer's shares have fallen about
2.3 percent since Dec. 18, when news of the cyber attack broke,
while the Standard & Poor's 500 index has risen 1.7 percent over
the same period.
Target is due to report quarterly results on Feb. 26, but
may disclose the impact of the breach sooner.