Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Target Says Stolen PIN Data Can't Be Cracked

Photo credit: Northfoto/Shutterstock.com
Photo credit: Northfoto/Shutterstock.com

First uncovered by security researcher Brian Krebs, the breach resulted in perpetrator(s) stealing credit and debit card “track data,” which enables the attackers to create (and sell) counterfeit cards. Anyone who swiped a card at a Target store between Nov. 27 and Dec. 15, the busiest shopping time of the year, could potentially be a victim. 

Target has now said that any debit card PIN information is likely safe and secure.

“While we previously shared that encrypted data was obtained, this morning through additional forensics work we were able to confirm that strongly encrypted PIN data was removed,” the company said in a statement. “The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.”

When a guest uses a debit card in our stores and enters a PIN, the company noted, the PIN is essentially encrypted at the keypad with what is known as the Triple DES highly secure encryption standard, used broadly throughout the US.

“Target does not have access to nor does it store the encryption key within our system,” the company said. “The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor. What this means is that the ‘key’ necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident.”

And that, Target said, means that customer debit card accounts cannot have been compromised due to the encrypted PIN numbers being taken.

Details will no doubt continue to dribble out as the retailer continues its investigation, but it’s likely that it will continue to feel the hit on its brand by consumers. The YouGov consumer sentiment index found that in one day, from Thursday Dec. 19 through Friday Dec. 20, Target saw its consumer perception plummet 35 points, more than either Sony PlayStation or Citibank did one week after their high-profile breaches became public.

Despite CEO Gregg Steinhafel's decision to give a 10% discount on most store items over the weekend before Christmas, as well as free credit monitoring services for everyone impacted, “The retailer has reached its lowest consumer perception point since at least June 2007,” YouGov found. “This also marks the first time since that same time that Target has had more negative perception than positive perception.”