Target confirms PIN data was stolen in breach

  @DavidGoldmanCNN December 27, 2013: 2:36 PM ET
target pin numbers

Reversing its initial stance, Target now says that PINs were stolen in the retailer's massive breach of 40 million accounts.

NEW YORK (CNNMoney)

Target confirmed Friday that debit card PIN data was stolen in its recent massive breach, reversing its earlier stance that the codes were not part of the hack.

However, the retailer believes the PINs remain "safe and secure." In a statement, Target (TGT, Fortune 500) spokeswoman Molly Snyder said the PINs are "strongly encrypted" and were never stored on Target's systems in plain text.

In other words, from the moment a customer entered a PIN after swiping a debit card, Target's payment system translated that number into an indecipherable string of code. Target claims that the PINs remained encrypted after they were stolen.

Not only are the PINs encrypted, Target says the numbers can only be decrypted by the independent payment processor, which holds the decryption key. That key is necessary to translate the unintelligible code back into the PIN. Target said the key was not stolen as part of the breach, because it never existed within the company's systems.

Target hack: The latest

Target says it uses the Triple Data Encryption Standard to encrypt its PIN codes. Per Thorsheim, an Independent password security consultant, said the PINs encrypted with the Triple DES algorithm would be "difficult or impossible to decrypt," if the payment processor's decryption key was robust enough. Target declined to comment on the identity of its payments processor.

That means it is very unlikely that thieves would be able to withdraw money from ATMs using stolen debit card information. Consumers are protected from certain instances of debit card fraud, but cash withdrawals and purchases made with a PIN can be tricky to reverse.

Who hacked Target?

As a precaution, Target customers who shopped at Target when the breach occurred should contact their banks to request a replacement card and change their PIN.

The PIN theft revelation means that Target's payment systems breach was larger than initially thought. That is common in credit card breaches. When Marshalls' and TJ Maxx's parent company TJX (TJX, Fortune 500) was hit with a massive breach in 2007, the company initially said 45 million accounts were hacked but upped that number to 94 million months later.

Target says that its breach, which took place between Black Friday and Dec. 15, compromised 40 million customers' payment information. To top of page



Join the Conversation

Market indexes are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer LIBOR Warning: Neither BBA Enterprises Limited, nor the BBA LIBOR Contributor Banks, nor Reuters, can be held liable for any irregularity or inaccuracy of BBA LIBOR. Disclaimer. Morningstar: © 2014 Morningstar, Inc. All Rights Reserved. Disclaimer The Dow Jones IndexesSM are proprietary to and distributed by Dow Jones & Company, Inc. and have been licensed for use. All content of the Dow Jones IndexesSM © 2014 is proprietary to Dow Jones & Company, Inc. Chicago Mercantile Association. The market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. FactSet Research Systems Inc. 2014. All rights reserved. Most stock quote data provided by BATS.