On December 19th, Target confirmed that there was unauthorized access to payment card data of about 40 million credit and debit cards used in Target stores between November 27th and December 15th. On December 27th, the company confirmed reports that encrypted data containing debit card PIN numbers was also obtained but they maintain that this data is still secure.
If the data was obtained, how can Target say that it is still secure? Well, the data was encrypted using Triple DES encryption and the encryption keys required to make the encrypted data readable were not compromised. In fact, those keys are not stored within Target’s internal system and therefore were not obtained during this breach. For customers this means that while their debit card numbers may have been stolen, the PIN is likely secure so criminals will not be able to withdraw money from an ATM machine.
This might seem like a small consolation for those people who were victims in the breach. They still have to deal with possible fraudulent charges and/or the hassle of replacing their card(s) during a busy shopping season.
This event teaches us something very important about protecting organizational data. Simply put, encrypted data is more secure data. There is some debate about whether or not the people behind the breach can still access the PIN numbers even though it is encrypted. Triple DES (3DES) uses a bundle of 3 different 54 bit keys K1, K2 and K3. The algorithm looks like this:
ciphertext = EK3(DK2(EK1(plaintext)))
There are 3.7×10^50 (370 Trillion Trillion Trillion Trillion) different key combinations so it is not going to be easy to read the plaintext without the encryption keys. The goal of encryption is not necessarily to make getting at data 100 percent impossible but rather make it so exceedingly difficult it is not worth the attempt.
So what does this mean for your company? You probably have data that is valuable. It might be valuable to you or valuable to others. Hackers will try to get their hands on any data they can monetize. That can be credit and debit card numbers, like in the Target breach, or it could also be customer lists, Intellectual Property, Protected Health Information (PHI), or Personally Identifiable Information (PII) like names, address, and Social Security numbers.
You need to protect your data to protect your company. Encryption is one of the easiest and most secure ways to do this. Encrypting data at rest on a SAN or NAS will help prevent unauthorized viewing. Encrypting a hard drive in a notebook, at the sector level, will help ensure that no one can steal the notebook and view the data on the drive. Encryption won’t prevent someone from gaining access to a network or from stealing the notebook itself. But it will secure the data which is the truly valuable asset and what you should be most concerned with.