“We continue to have no reason to believe that PIN data, whether encrypted or unencrypted, was compromised,” Target said in a statement issued a couple of days ago. However, a new statement published on Friday reveals that PIN data has been stolen.
According to the company, the ongoing investigation has brought new things to light. Apparently, the hackers have managed to gain access to encrypted PIN data
“We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems,” Target stated.
The PINs are encrypted with the Triple DES algorithm. The retailer is confident that the attackers couldn’t have gained access to the encryption key because it’s not stored on its systems.
“The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor. What this means is that the ‘key’ necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident,” the company noted.
On the other hand, Reuters reports that at least one major US bank is concerned that the encryption could be cracked.
Meanwhile, the company faces more and more lawsuits. Gigaom reports that at least 40 class actions have been initiated against the retail giant all over the United States.
It’s still uncertain who is behind the breach and how they’ve managed to pull it off. However, Brian Krebs has identified one Ukrainian individual who’s operating the underground website on which the stolen payment card information is being sold.
It’s uncertain if he’s directly responsible for the breach, but it’s clear that he has some involvement in the case since he has offered to pay Krebs to not run the story about him.