Target confirmed Thursday that the PIN data of its customers’ bank ATM cards were stolen in the previously-reported huge breach affecting 40 million card accounts.
But the third-largest U.S. retailer said it was sure that the PIN information remains “safe and secure.”
“We remain confident that PIN numbers are safe and secure,” Target said in Thursday’s statement. “The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.”
Target may have downplayed the ramifications of the PIN theft, but some security experts warn that it exposed customers to more risk than the retailer had made previously revealed..
“It means there is potential for gaining access to debit card accounts,” Shane Shook, an executive with the cyber security firm Cylance Inc, who has investigated some of the biggest cyber breaches, told Reuters.
The problem is that many debit card users deploy easy-to-guess numbers like 1234. Shook told Reuters that in some investigations he has found that more than 20 percent of PINs could easily be guessed.
Security experts advise all Target debit card users to replace their cards if they haven’t already done so. The breach occurred from Nov. 27 through Dec. 1.
Here’s more from Target’s statement Thursday:
“Target does not have access to nor does it store the encryption key within our system. The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor. What this means is that the “key” necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident.”
“The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken.”