Target Confirms PINs Stolen in Card-Data Breach

×
Target Data Breach
Steven Senne/AP
By Mae Anderson and Barbara Ortutay

ATLANTA -- Target said Friday that debit-card PINs were among the financial information stolen from millions of customers who shopped at the retailer earlier this month.

Target (TGT) said the stolen personal identification numbers, which customers type in to keypads to make secure transactions, were encrypted and that this strongly reduces risk to customers. In addition to the encrypted PINs, customer names, credit and debit card numbers, card expiration dates and the embedded code on the magnetic strip on back of the cards were stolen from about 40 million credit and debit cards used at Target stores between Nov. 27 and Dec. 15.

Security experts say it's the second-largest theft of card accounts in U.S. history, surpassed only by a scam that began in 2005 involving retailer TJX Cos. (TJX).

Target said it doesn't have access to nor does it store the encryption key within its system, and the PIN information can only be decrypted when it is received by the retailer's external, independent payment processor.

"We remain confident that PIN numbers are safe and secure," spokeswoman Molly Snyder said in an emailed statement Friday.
"The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems." The company maintains that the "key" necessary to decrypt that data never existed within Target's system and couldn't have been taken during the hack.

However, Gartner security analyst Avivah Litan said Friday that the PINs for the affected cards aren't safe and people "should change them at this point."

Litan said that while she has no information about the encrypted PIN information in Target's case, such data has been decrypted before, in particular the 2005 TJX Cos. hacking case that's believed the largest case of identity theft in U.S. history.

In 2009 computer hacker Albert Gonzalez plead guilty to conspiracy, wire fraud and other charges after masterminding debit and credit card breaches in 2005 that targeted companies such as T.J. Maxx, Barnes & Noble (BKS) and OfficeMax. Gonzalez's group was able to decrypt encrypted data. Litan said changes have been made since then to make decrypting more difficult but "nothing is infallible."

"It's not impossible, not unprecedented [and] has been done before," she said.

Besides changing your PIN, Litan says shoppers should opt to use their signature to approve transactions instead because it is safer.

Still, she said Target did "as much as could be reasonably expected" in this case. "It's a leaky system to begin with," she said.

Credit card companies in the U.S. plan to replace magnetic strips with digital chips by the fall of 2015, a system already common in Europe and other countries that makes data theft more difficult.

Minneapolis-based Target Corp. said it is still in the early stages of investigating the breach. It has been working with the Secret Service and the Department of Justice.

-Ortutay contributed from San Francisco.


Increase your money and finance knowledge from home

Banking Services 101

Understand your bank's services, and how to get the most from them

View Course »

Managing your Portfolio

Keeping your portfolio and financial life fit!

View Course »

Add a Comment

*0 / 3000 Character Maximum

6 Comments

Filter by:
cjaneke

If the thieves were smart enough to \"steal\" 40M data profilles they are probably smart enough the untangle the pin encription. Winner gets all. However the difference between ATT\'s \"slamming and cramming\" and grand-theft thievery is waferthin. And its legal. MAYBE (????).

December 27 2013 at 11:18 PM Report abuse rate up rate down Reply
betty_brock

I use my debit card as a credit card all the time. They don't need the pin number to use yours.

December 27 2013 at 8:03 PM Report abuse +2 rate up rate down Reply
pm0501

About 5 years ago, Target canceled my Red Card which was in good standing because I wasn't using it often enough and didn't carry a balance. Now because of this mess, I'm GLAD they did! I've shopped at Target maybe 3 times in 5 years because of their arrogance! No sympathy for Target!

December 27 2013 at 7:19 PM Report abuse +1 rate up rate down Reply
1 reply to pm0501's comment
bcheerful3

Nothing to offer but more Chinese drek.

December 28 2013 at 6:01 PM Report abuse rate up rate down Reply
offdutysfr

hi

December 27 2013 at 3:02 PM Report abuse -2 rate up rate down Reply
alfredschrader

It also says on here that a New York judge ruled it's ok for the NSA to spy on you.
Anyone spying on you is attacking you. They are not sending you a Christmas card.
It doesn't matter what part of your information information they are stealing whether its from your cell phone, computer, mail, or stealing your credit card data - it is an attack on you.

December 27 2013 at 1:37 PM Report abuse +4 rate up rate down Reply