Target says stolen debit-card PINS were encrypted, should be secure

Key to the encryption is not in the chain's system, it says, so was not taken
FILE - In this Dec. 19, 2013 file photo, a passer-by walks near an entrance to a Target retail store in Watertown, Mass. Target on Friday, Dec. 27, 2013 said that customers' encrypted PIN data was removed during the data breach that occurred earlier this month. But the company says it believes the PIN numbers are still safe because the information was strongly encrypted. (AP Photo/Steven Senne, File)AP

ATLANTA — Target said Friday that debit-card PIN numbers were among the financial information stolen from millions of customers who shopped at the retailer earlier this month.

The company said the stolen personal identification numbers, which customers type in to keypads to make secure transactions, were encrypted and that this strongly reduces risk to customers. In addition to the encrypted PINs, customer names, credit and debit card numbers, card expiration dates and the embedded code on the magnetic strip on back of the cards were stolen from about 40 million credit and debit cards used at Target between Nov. 27 and Dec. 15.

Target said it doesn't have access to nor does it store the encryption key within its system, and the PIN information can only be decrypted when it is received by the retailer's external, independent payment processor.

"We remain confident that PIN numbers are safe and secure," spokeswoman Molly Snyder said in an emailed statement Friday. The company maintains that the "key" necessary to decrypt that data never existed within Target's system and could not have been taken during the hack.

However, Gartner security analyst Avivah Litan said Friday that the PINs for the affected cards are not safe and people "should change them at this point."

In 2009 computer hacker Albert Gonzalez pleaded guilty to conspiracy, wire fraud and other charges after masterminding debit and credit card breaches in 2005 that targeted retailers such as T.J. Maxx, Barnes & Noble and OfficeMax. Gonzalez's group was able to unlock encrypted data. Litan said changes have been made since then to make decrypting more difficult but "nothing is infallible."

Besides changing your PIN, Litan says shoppers should instead opt to use their signature to approve transactions because it is safer.


Reader Reaction
We reserve the right to remove any content at any time from this Community, including without limitation if it violates the Community Rules. We ask that you report content that you in good faith believe violates the above rules by clicking the Flag link next to the offending comment or fill out this form. New comments are only accepted for two weeks from the date of publication.
COUPON OF THE WEEK