A day after denying a report that PIN data was stolen during a pre-holiday security breach that affected some 40 million customers, Target confirmed Friday that the data had indeed been “removed.”
Reuters had reported Thursday that personal identification numbers were stolen amid a hack that compromised information for those that used credit or debit cards during the period from Nov. 27 to Dec. 15.
Up to 40 million cards could have been affected.
A Target spokeswoman had told Reuters in a story published Thursday that “no unencrypted PIN data was accessed” and there was no evidence that PIN data has been “compromised,” confirming only that some encrypted data was stolen.
Then, on Friday, the Minneapolis-based retailer issued a statement confirming PINs were stolen, but seeking to downplay the impact.
Below is the statement in full:
Our investigation into the data breach incident is continuing and ongoing. While we are still in the early stages of this criminal and forensic investigation, we continue to be committed to sharing the facts as they are confirmed.
While we previously shared that encrypted data was obtained, this morning through additional forensics work we were able to confirm that strongly encrypted PIN data was removed. We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.
To help explain this, we want to provide more context on how the encryption process works. When a guest uses a debit card in our stores and enters a PIN, the PIN is encrypted at the keypad with what is known as Triple DES. Triple DES encryption is a highly secure encryption standard used broadly throughout the U.S.
Target does not have access to nor does it store the encryption key within our system. The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor. What this means is that the “key” necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident.
The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken.
Target created a web page for customers to get information about the breach to ensure that customers were getting correct information directly from the retailer and would not be subject to phishing scams.
The U.S. Secret Service and the Department of Justice are investigating the breach.
Target and banks have assured customers they will not be responsible for fraudulent activity on their accounts, but advised those affected to closely monitor purchases on their account statements.
The nation’s third-largest retailer, Target faces multiple class-action lawsuits over the hack.