PIN Numbers Stolen in Target Breach

The retailer confirmed that strongly encrypted PIN data was removed from its system during the security breach that took place between Black Friday and Dec. 15.

According to Target PIN data is "safe and secure" despite the security breach.

Target on Friday confirmed that strongly encrypted PIN data was removed from its system during the security breach that took place between Black Friday and Dec. 15.

This story first appeared in the December 30, 2013 issue of WWD.  Subscribe Today.

The breach could impact 40 million shoppers who used credit cards or debit cards at Target’s U.S. stores during that period; however, online shoppers have not been affected.

The incident has been gathering steam in the media. Along with consumers’ growing voices of frustration and anger, attorneys general in several states have pledged to try to help their constituents whose credit card accounts were compromised to deal with the fallout.

Sen. Richard Blumenthal (D., Conn.) has asked the Federal Trade Commission to immediately open an investigation into Target’s security breach, saying the FTC has the authority and responsibility to investigate. Meanwhile, the National Association of Federal Credit Unions continues to press for passage of data security requirements for retailers.

“While we previously shared that encrypted data was obtained, this morning through additional forensics work we were able to confirm that strongly encrypted PIN data was removed,” Target said Friday. “We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system and remained encrypted when it was removed from our systems.”

Terence Spies, chief technology officer at Voltage, which sells technology that enables encryption of credit card data, explained the transfer of data from store sales terminal to payment processor. “When a customer enters a PIN number for a debit card at a sales terminal, the PIN device contains an encryption key that’s unique to that device and often changes with every transaction,” he said. “A big piece of data takes the [encrypted information] to the processor. It’s processed in a hardware security module, and that’s the only place it ends up getting decrypted.”

Spies said protocol for proper key management is fairly well established. “If you do proper key management, it can make the information useless to an attacker,” he said. However, account information, found on the magnetic strip of a credit or debit card, is harder to protect. “Someone was selling account numbers on relatively obscure Eastern European Web sites,” Spies said. “They got tracking data from the strip on the back of the card. They can use it to build a fake card.” Along with account data, the cyberthieves stole zip code data, which makes the fake cards more effective. The PIN data is probably quite secure.

“There’s an extremely good chance some fraudulent transactions will be made against those cards,” Spies said.

While Spies said cybercriminals are getting more professional, he believes they couldn’t have done it alone in the case of Target. “It looks like someone had insider knowledge or had built some sort of malware that went live on the point-of-sale terminals and spread across a large number of stores very quickly and captured data for a number of days. There’s a good chance that there was some amount of insider knowledge.”

Doug Johnson, vice president of risk management policy at the American Bankers Association, said it was possible but highly unlikely that the “strongly encrypted” PIN data, which uses the “Triple DES” encryption that is the industry standard within the banking and retail industries, could be decrypted by the thieves who penetrated Target’s system.

“Anything is possible within the cryptology world, but it’s still very difficult to decrypt and not generally within the skill sets of criminals,” he told WWD. “Target was correct in pointing out that it doesn’t have the key, which happens on the other side of the card network, with the financial institutions. Target’s statement today seemed to me an accurate depiction of how the situation developed.”

The fallout of what is likely the second-largest data breach involving a retailer is not yet known. The largest attack against a single retailer involved TJX Cos. Inc. in 2005 and 2006, when 45.7 million customers of the off-price retailer were affected. Uncovered in 2007, the breach was conducted over 18 months. Experts were surprised by the speed of the Target crime — 19 days. TJX wound up paying $250 million in remediation expenses, settlements of bank claims, credit monitoring services for victims, legal fees and fines. It is not yet known how much the incident will cost Target.

Johnson attributed the decision of two major banks, J.P. Morgan Chase and Santander, to cap customer purchases and withdrawals made with compromised accounts to caution following the TJX intrusion. “The banks are battle-hardened and wary about retail breaches in the aftermath of TJX,” he said. “And companies like Target have learned to do the right thing on the retail side — blanket notification as soon as they find the breach, and they did find it quickly.”

Johnson also noted that the risk of cyberthefts will be reduced as financial institutions — including MasterCard, Visa and American Express — begin to roll out “chip and PIN” smartcard technology in the first quarter of 2015. Already in use in the U.K., Ireland and much of Europe, it combines chips embedded in credit and debit cards with personal identification numbers to establish the validity of the account. Because the verification will take place at the point of sale, rather than after encryption by the card issuer, liability for any losses caused by fraud will shift to the retailer and away from the financial institution.

“In the new world, once chip-and-pin is employed at point of sale, the responsibility would be the retailer’s,” Johnson said, adding that the system has worked to great effect where it’s been deployed.

While Target shoppers took to Twitter and Facebook to vent, the retailer used its own Twitter feed to highlight how it was dealing with the situation. The company doubled the manpower in its call center and promised “to work around the clock to answer questions until all needs are met,” according to a tweet last week. Target also listed steps for consumers to take to secure their cards, including getting a free credit report. The retailer repeatedly assured customers that they would “bear absolutely zero liability for any charges that they didn’t make,” and offered a 10 percent discount on Dec. 21 and Dec. 22 “in the spirit of goodwill.”

“Target’s response has been pretty energetic. Where they fell down a little bit is not investing in technology for preventing this from happening in the first place,” said Spies.