Businessweek
|
|
Customers
pick up shopping carts containing Element Electronics 50-inch
light-emitting diode (LED) high definition televisions at a Target Corp.
Target: Encrypted PINs stolen but not encryption key
“We remain confident that PIN numbers are safe and secure,” she said. “The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.”
Target has been working to retain customers’ loyalty after saying Dec. 19 that security for 40 million cards may have been breached from Nov. 27 to Dec. 15 as shoppers made purchases in stores. While the chain said it had identified and resolved the issue, the compromise occurred during the most important period of the year for retailers and with shoppers already showing reluctance to spend.
Encryption is the correct way to store information such as PIN numbers, Ray Trygstad, industry professor of information technology and management at the Illinois Institute of Technology in Chicago, said in a phone interview.
One risk still facing customers is that hackers could get access to PINs through a so-called phishing scam, Trygstad said. Hackers could use customer information including e-mail addresses to lure them to bogus sites where they would enter their card information and PINs.
Target slipped (TGT:US) 0.5 percent to $62.15 at the close in New York. The shares have gained 5 percent this year, compared with a 29 percent increase in the Standard & Poor’s 500 Index.
Even before the incident, Target had been struggling to boost sales and earnings. The retailer’s third-quarter profit trailed analysts’ estimates as U.S. shoppers held back and expansion into Canada dragged on earnings, sending net income down 46 percent from a year earlier.
The retailer is already facing almost two dozen lawsuits, mostly from customers accusing the company of failing to safeguard their information.
The breach occurred when a computer virus infected Target’s point-of-sale terminals, a person familiar with the matter, who asked not to be identified because the investigation is private, said last week.
The company is investigating the breach with the U.S. Justice Department and the Secret Service, which asked it not to share details of the probe.
To contact the reporters on this story: Leslie Patton in Chicago at lpatton5@bloomberg.net; Lindsey Rupp in New York at lrupp2@bloomberg.net
To contact the editor responsible for this story: Robin Ajello at rajello@bloomberg.net
Bloomberg News
Target Says Encrypted PIN Information Stolen in Card Breach (2)
Customers
pick up shopping carts containing Element Electronics 50-inch
light-emitting diode (LED) high definition televisions at a Target Corp.
store opening ahead of Black Friday in Chicago on Nov. 28, 2013.
Photographer: Patrick T. Fallon/Bloomberg
Target Corp. (TGT:US) said data related to
shoppers’ personal identification numbers was stolen during the
recent breach of its debit and credit card system and that it’s
“confident” customers’ accounts haven’t been compromised
because the information was encrypted.
The PIN data that was removed can only be decrypted when it
is received by Target’s external, independent payment processor,
Molly Snyder, a spokeswoman for the Minneapolis-based retailer,
said today in an e-mailed statement. The key needed to decrypt
the information never existed on Target’s system and couldn’t
have been taken during the breach, she said. “We remain confident that PIN numbers are safe and secure,” she said. “The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.”
Target has been working to retain customers’ loyalty after saying Dec. 19 that security for 40 million cards may have been breached from Nov. 27 to Dec. 15 as shoppers made purchases in stores. While the chain said it had identified and resolved the issue, the compromise occurred during the most important period of the year for retailers and with shoppers already showing reluctance to spend.
Encryption is the correct way to store information such as PIN numbers, Ray Trygstad, industry professor of information technology and management at the Illinois Institute of Technology in Chicago, said in a phone interview.
Data Risks
“Typically pretty strong encryption is used for storage of those things,” he said. It’s “very unlikely” that the hackers will be able to decrypt the PINS, he said.One risk still facing customers is that hackers could get access to PINs through a so-called phishing scam, Trygstad said. Hackers could use customer information including e-mail addresses to lure them to bogus sites where they would enter their card information and PINs.
Target slipped (TGT:US) 0.5 percent to $62.15 at the close in New York. The shares have gained 5 percent this year, compared with a 29 percent increase in the Standard & Poor’s 500 Index.
Even before the incident, Target had been struggling to boost sales and earnings. The retailer’s third-quarter profit trailed analysts’ estimates as U.S. shoppers held back and expansion into Canada dragged on earnings, sending net income down 46 percent from a year earlier.
Credit Reporting
Since disclosing the breakdown last week, the second-largest U.S. discount retailer has agreed to give some shoppers free credit reporting, assured them they wouldn’t be responsible for fraudulent charges and offered a 10 percent discount on purchases last weekend.The retailer is already facing almost two dozen lawsuits, mostly from customers accusing the company of failing to safeguard their information.
The breach occurred when a computer virus infected Target’s point-of-sale terminals, a person familiar with the matter, who asked not to be identified because the investigation is private, said last week.
The company is investigating the breach with the U.S. Justice Department and the Secret Service, which asked it not to share details of the probe.
To contact the reporters on this story: Leslie Patton in Chicago at lpatton5@bloomberg.net; Lindsey Rupp in New York at lrupp2@bloomberg.net
To contact the editor responsible for this story: Robin Ajello at rajello@bloomberg.net
No comments:
Post a Comment