The retail company Target announced that customer personal identification number (PIN) information “had not been breached” after 40 million customer credit and debit card records were stolen recently, according to a story published by the New York Times. Target announced, in previous statements, that the attackers “made off with customers’ encrypted PIN information”
but “the company stored the keys to decrypt its PIN data on separate systems from the ones that were hacked“, according to the article. Even though this incident primarily affected the retail marketplace, it also leaves multiple industries concerned about additional breaches in data storage, outdated security measures, network vulnerabilities and malicious attacks by hackers in their own environments.
Molly Snyder, spokeswoman for Target, was quoted in the article to say, “We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.” The report states that the credit and debit cards of Target customers have already been selling on the black market where “a single card is selling for as much as $100.” Stolen card data can be used to create counterfeit cards, but if criminals obtain the PIN data, money can be transferred or withdrawn via a bank automatic teller machine (ATM), according to the article. In past cases, according to the report, security experts found that hackers managed to gain access to the keys and unscramble encrypted data even if “the key to unlock the encryption is stored on separate systems.”
As the Secret Service and Justice Department continue to investigate, the report indicates that this breach of Targets security is the second largest in retail history. The 2005 TJ Maxx breach compromised records for 90 million customers and remains to have been the most devastating invasion to date.