Following the theft of credit card and debit card data from as many as 40 million accounts first announced on Dec. 19, in addition to later reports that the stolen data included customer PIN numbers, Target (NYSE: TGT ) confirmed today that "strongly encrypted PIN data was removed."
However, Target added in its statement that customer PIN data remains safe, due to the nature of the encryption. Triple DES encryption is derived from the 64-bit Data Encryption Standard (DES) algorithm, though it uses three 64-bit strings, for a total of 192 bits, to increase data security.
Accessing Target customers' stolen PIN numbers requires decrypting the data using a "key" which Target asserts could not have been hacked because:
Target does not have access to nor does it store the encryption key within our system. The PIN information is encrypted within Target's systems and can only be decrypted when it is received by our external, independent payment processor. What this means is that the "key” necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident.
Target added it is "still in the early stages of this criminal and forensic investigation." A recent press release also noted that Target is working with the Secret Service and U.S. Department of Justice, and will host a follow-up call on Jan. 6 with attorneys general from around the country.
Gartner security analyst Avivah Litan said Friday that the PINs for the affected cards are not safe and people "should change them at this point." Litan said that while she has no information about the encrypted PIN information in Target's case, such data has been decrypted before.
In addition to the encrypted PINs, customer names, credit and debit card numbers, card expiration dates and the embedded code on the magnetic strip on back of the cards were stolen from about 40 million credit and debit cards used at Target stores between Nov. 27 and Dec. 15.