It turns out that the massive Target hack that compromised an estimated 40 Million accounts actually did include PIN numbers. As previously mentioned here, little facts are starting to trickle out. Now think big here, the picture is a bit more critical. With PIN information, thieves can clone debit cards onto new plastic cards, opening the bank accounts of victims up to a cash network accessible anywhere in the world through ATMs. Reports so far have been that many banks have been quick to respond to account issues that may have been affected by the breach, but responses of course vary. When you start with 40 million, many accounts are potentially still vulnerable. In a typical breach, the amount of accounts that end up actually being used by thieves run in the single digits. That means anywhere from a million to three million could end up being used out there. With PIN info – that could mean millions could be pilfered. That’s the threat.
In the meantime, there’s all this talk about liability and what is going to happen because of this. Without a doubt, Target is out a lot of money. It is very curious then how the PIN information was able to compromised. According to Target’s public statement on this latest revelation, the information is encrypted and will be extremely difficult to access. However when you read through PCI regulations, though encrypted the PIN information isn’t supposed to be stored at all.
Many questions. Was the information captured in transport? Was the environment even PCI compliant in the first place? There’s reason to doubt it, because first we have track data that was captured and now the PIN information.
We’ve said it many times before, compliance does not equal security. The act of becoming compliant itself opens up the possibility that in the race to achieve compliance, that the status is achieved for that day when the PCI audit is wrapped up. In a world of ever-changing systems, infrastructure, updates, transition of personnel, understaffing and other elements it means lapses can and do happen. In this case, the penalties can and will be severe. The payment card industry will likely fine the company for the incident, and Target will see its merchant fees rise. Those fees are the percentage that gets paid to the major credit cards companies on every transaction. They’ll probably have fees to pay for compliance violations and probably have to cover fraud expenses to card issuers. This is a big mess.
Also given the PIN information, and questions about PCI compliance, it appears less likely that the malware theory I shared will hold up. One of the things to keep an eye out for are the forensics that come out and whether the perpetrators of this act of cybercrime will ever be discovered.