Target Corp. said PIN data of some customers’ bank ATM cards were stolen in a massive cyber attack at the third-largest U.S. retailer, but it was confident that the information was “safe and secure.”
The stolen PIN data were “strongly encrypted” when they were removed from Target’s systems, spokeswoman Molly Snyder said in a statement on Friday.
“The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken,” Snyder said.
News of the PIN theft was first reported by Reuters on Tuesday.
Target uses the Triple DES encryption standard that can be unlocked only with a digital cryptographic “key” when the PIN data are received by the company’s outside payment processor, she noted.
“There is potential for gaining access to debit card accounts,” said Shane Shook, an executive with the cyber security firm Cylance Inc. who has investigated some of the biggest cyber breaches.
While it is virtually impossible to decrypt a PIN without the digital key to unlock it, Shook said many debit-card holders choose easy-to-guess numbers like 1234. He said that in some investigations he has found that more than 20 percent of PINs could easily be guessed.
Target has said little about how the cyber crooks accessed its network or stole the data in the attack, which breached 40 million payment card numbers at unprecedented speed.
The attack began on Nov. 27, the day before the Thanksgiving holiday and continued until Dec. 1, making it the second-largest data breach in U.S. retail history.