Almost immediately after its data breach, Target said that debit card PIN numbers were not stolen. You may remember this December 20, 2013 statement by Target CEO Gregg Steinhafel:
"There is no indication that PIN numbers have been compromised on affected bank issued PIN debit cards or Target debit cards. Someone cannot visit an ATM with a fraudulent debit card and withdraw cash."
In an updated December 27, 2013 breach notice (Adobe PDF), the retailer admitted that debit card PIN numbers had indeed been stolen during the data breach:
"... our ongoing investigation determined that strongly encrypted PIN data was removed from our system during the data breach incident..."
Then, its latest statement attempted to reassure shoppers:
"... These [PIN data] files are protected by triple DES encryption, the most secure standard... We never had access to the encryption key required to open or read the PIN files..."
Shoppers are supposed to be comforted by the disclosure that even though PIN payment data was stolen, the encryption was strong and the encryption keys were stored in a different place than the encrypted debit payment information. This assumes that the hackers didn't also breach the location with the stored encryption keys during the breach or previously. C/Net reported:
"However, one major U.S. bank is worried that the hackers might be able to crack the encryption code, giving [thieves] the ability to withdraw money from bank accounts..."
While writing this blog for the past 6+ years (including posts about the massive TJX Companies/T.J. Maxx data breach), I have learned that hackers are smart, persistent, and study their targets (no pun intended) before an attack. All of that seems to apply to the Target breach. Hackers use computers just like you do. And that includes software to break or decode encrypted data. It may take time, but hackers have time. That's one reason for long-term credit monitoring services for breach victims.
Breach victims are angry, and some are not buying the company's assurances. Some consumers have filed lawsuits against Target. ABC News reported:
"Angry shoppers are lashing out at Target, filing lawsuits in California and Oregon against the retailer, alleging the store "failed to implement and maintain reasonable security procedures" when credit and debit card data for about 40 million customers... On Thursday, Target customer Jennifer Kirk filed a lawsuit in San Francisco in the hopes of being certified as part of a class action..."
These lawsuits are not a surprise given the huge size of the breach, and that the U.S. banking system uses obsolete technology for debit/credit cards. The rest of the planet uses newer technology in their debit and credit cards.
That Target first denied PIN payment data was stolen, and then reversed itself by admitting that PIN data was stolen demonstrates the risk of executives making hasty statements before a forensic breach investigation is completed. A company can't really know until after the investigation is completed:
- Exactly what data elements (e.g., name, address, card numbers, PIN numbers, 3-digit security codes, etc.) were accessed and stolen,
- The specific computer sserver(s) and/or networks hacked,
- The technology(ies) the thieves used, and
- The duration of the attack and breach
While I am not a computer systems security expert, I have seen many data breaches since I started writing this blog over six years ago. History has taught me that a company can't reliably claim what was (or wasn't) stolen and that a breach is fixed until the investigation is completed, the extent of the attack and the damage are known, and then the appropriate technical solutions are implemented on the affected servers and networks -- and ideally, are hardened. Often, that fix also includes training employees to avoid risky behaviors that introduce malware and computer viruses.
At least 2,000 shoppers visiting from Europe were affected by the breach, and, the U.S. Secret Service is also investigating the Target breach. The findings from that agency's investigation may also affect the retailer's fixes.
The company's early statements, before all the facts were in, are why I have very little faith in what Target says. Shop at its stores, but use cash or credit cards. Breach victims should change their debit card PIN information; ideally, and replace affected bank accounts with new ones. Like other breach incidents, Target will likely pay for the costs banks incur to switch bank accounts for breach victims.
The whole incident is a reminder for consumers of the risks of shopping with their debit cards. Despite what the banking industry and retailers claim, the U.S. banking system uses obsolete technology for debit/credit cards. Plus, when you shop with your debit card, you are betting that criminals have not hacked:
- The point-of-sale terminals (e.g., payment terminals) in the stores,
- The wireless transmissions between the retail stores, and/or
- The retail company's centralized databases and networks.
Plus, stolen debit card payment information provides thieves direct access to your checking accounts. Stay tuned. We will hear a lot more about the Target data breach during the coming weeks and months.