December 27, 2013

Target confirms that customers’ encrypted PINs were stolen

The company believes the numbers are secure because of the extent of the encryption, but experts advise people affected to change their codes.

By Mae Anderson And Barbara Ortutay
The Associated Press

ATLANTA — Target Corp. said Friday that debit-card PINs were among the financial information stolen from millions of customers who shopped at the retailer earlier this month.

click image to enlarge

Hundreds of credit and debit card numbers stolen from the Target in South Portland, above, and Target’s four other Maine stores were offered for sale on a black market website.

Shawn Patrick Ouellette/Staff Photographer

click image to enlarge

A passer-by walks near an entrance to a Target retail store in Watertown, Mass., this month. Target on Friday said customers’ encrypted PIN data was removed during the data breach that occurred earlier this month. But the company says it believes the PIN numbers are still safe because the information was strongly encrypted.

The Associated Press

The company said the stolen personal identification numbers, which customers type into keypads to make secure transactions, were encrypted and that this strongly reduces risk to customers. In addition to the encrypted PINs, customer names, credit and debit card numbers, card expiration dates and the embedded code on the magnetic strip on the back of the cards were stolen from about 40 million credit and debit cards used at Target stores between Nov. 27 and Dec. 15.

State officials have previously estimated that more than 100,000 Maine customers were affected by the breach.

Security experts say it’s the second-largest theft of card accounts in U.S. history, surpassed only by a scam that began in 2005 involving retailer TJX Cos.

“We remain confident that PIN numbers are safe and secure,” spokeswoman Molly Snyder said in an emailed statement Friday. “The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.”

However, Gartner security analyst Avivah Litan said Friday that the PIN numbers for the affected cards are vulnerable and that people should change their codes since such data has been decrypted, or unlocked, before. In 2009, computer hacker Albert Gonzalez pleaded guilty to conspiracy, wire fraud and other charges after masterminding debit and credit card breaches in 2005 that targeted retailers such as T.J. Maxx, Barnes & Noble and OfficeMax. Gonzalez’s group was able to unlock encrypted data.

Litan said changes have been made since then to make decrypting more difficult, but “nothing is infallible.”

“It’s not impossible, not unprecedented (and) has been done before,” she said.

Besides changing your PIN, Litan says shoppers should instead opt to use their signature to approve transactions because it is safer. Still, she said Target did “as much as could be reasonably expected” in this case.

“It’s a leaky system to begin with,” she said.

Credit card companies in the U.S. plan to replace magnetic strips with digital chips by the fall of 2015, a system already common in Europe and other countries that makes data theft more difficult.

Minneapolis-based Target Corp. said it is still in the early stages of investigating the breach. It has been working with the Secret Service and the Department of Justice.

Were you interviewed for this story? If so, please fill out our accuracy form

Send question/comment to the editors




Further Discussion

Here at OnlineSentinel.com we value our readers and are committed to growing our community by encouraging you to add to the discussion. To ensure conscientious dialogue we have implemented a strict no-bullying policy. To participate, you must follow our Terms of Use.

Questions about the article? Add them below and we’ll try to answer them or do a follow-up post as soon as we can. Technical problems? Email them to us with an exact description of the problem. Make sure to include:
  • Type of computer or mobile device your are using
  • Exact operating system and browser you are viewing the site on (TIP: You can easily determine your operating system here.)