Target admits PIN numbers were stolen in payment data breach

Update: Target is now saying that encrypted debit card PIN numbers were in fact stolen, but that the encryption key was not, so shoppers who used debit cards still have nothing to worry about.

The retailer said in a statement sent to CNET, "While we previously shared that encrypted data was obtained, this morning through additional forensics work we were able to confirm that strongly encrypted PIN data was removed. We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems."

The statement continued, "Target does not have access to nor does it store the encryption key within our system. The PIN information is encrypted within Target's systems and can only be decrypted when it is received by our external, independent payment processor. What this means is that the "key" necessary to decrypt that data has never existed within Target's system and could not have been taken during this incident."

So rest easy Target shoppers?

Original story below…

Hackers hit Target hard just before Christmas, stealing an estimated 40 million credit and debit card numbers during the busy holiday shopping season.

But contrary to reports on Christmas eve, there's no evidence that debit card users' PIN numbers were stolen, Target says.

Reuters reported on December 24 that shoppers' PIN numbers had been stolen as well as credit card numbers, citing "a senior payments executive familiar with the situation."

But Target has issued a statement indicating that there are "no indications" of that being the case.

Absence of proof is not proof of absence

"To date, there is no evidence that unencrypted PIN data has been compromised. In addition, based on our communications with financial institutions, they have also seen no indications that any PIN data was compromised," Target said in a statement issued to CBS New York.

It continued, "Our priority continues to be the security of our guests and we are working around the clock to address this issue."

Obviously there being no indication that PINs were stolen is not proof that PINs weren't stolen; but you can't blame Target for wanting to cover its own behind in this situation.

This cyber attack was reportedly the second-largest breach of credit card data in US history, beat only by a 2005 scam involving the retailer TJX that affected an estimated 45.7 million people, according to Fox.

Shoppers who swiped a card in a Target store between November 27 and December 15 might have been affected.

• Facebook also fell afoul of a data breach earlier this year

Via Slashgear