Target Corp. said Friday that PIN data from some customers' bank ATM cards were also stolen in the massive cyber-attack this month at the third-largest U.S. retailer, but it was confident that the information was "safe and secure."
The stolen PIN data were "strongly encrypted" when they were removed from Target's systems, spokeswoman Molly Snyder said in a statement.
Target uses the Triple DES encryption standard that can be unlocked only with a digital cryptographic "key" when the PIN data are received by the company's outside payment processor, Snyder said. "The key necessary to decrypt that data has never existed within Target's system and could not have been taken during this incident," she said.
Target has declined to identify its payment processor.
Some security experts said that even if the encryption is not broken, cybercriminals can still break the PINs.
"There is potential for gaining access to debit card accounts," said Shane Shook, an executive with the cybersecurity firm Cylance Inc., who has investigated some of the biggest cyberbreaches.
While it is virtually impossible to decrypt a PIN without the digital key to unlock it, Shook said many debit card holders use easy-to-guess numbers like 1234. He said that in some investigations he has found that more than 20 percent of PINs could easily be guessed.
Criminals can identify PINs by using online systems some banks offer that allow customers to access their accounts using their debit card numbers and PINs, said Chris Morales, research director with NSS Labs and a security expert who has helped investigate major breaches.
ATLANTA -- Target said Friday that debit-card PIN numbers were among the financial information stolen from millions of customers who shopped at the retailer earlier this month.
The company said the stolen personal identification numbers, which customers type in to keypads to make secure transactions, were encrypted and that this strongly reduces risk to customers. In addition to the encrypted PINs, customer names, credit and debit card numbers, card expiration dates and the embedded code on the magnetic strip on back of the cards were stolen from about 40 million credit and debit cards used at Target between Nov. 27 and Dec. 15.
Security experts say it's the second-largest theft of card accounts in U.S. history, surpassed only by a scam that began in 2005 involving retailer TJX Cos.
Target said it doesn't have access to nor does it store the encryption key within its system, and the PIN information can only be decrypted when it is received by the retailer's external, independent payment processor.
"We remain confident that PIN numbers are safe and secure," spokeswoman Molly Snyder said in an emailed statement Friday. "The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems." The company maintains that the "key" necessary to decrypt that data never existed within Target's system and could not have been taken during the hack.
However, Gartner security analyst Avivah Litan said Friday that the PINs for the affected cards are not safe and people "should change them at this point."
Minneapolis-based Target said it is still in the early stages of investigating the breach. It has been working with the Secret Service and the Department of Justice.