Target Confirms PIN Data Also Stolen In Credit/Debit Card Hack

After days of denying a report that hackers had stolen encrypted PIN data from some 40 million Target shoppers, the retailer has finally admitted that yes, this information was indeed collected during the 3-week-long data breach.

Because the PIN info is encrypted, Target tells USA Today, “We remain confident that PIN numbers are safe and secure.”

Without the encryption key used by Target’s external payment processor, that PIN info can not be accessed. Target says this key was never stored on the retailers’ payment systems so it could not have been stolen during the breach.

But if the hackers were able to obtain that key, they would be able to encode dummy debit cards with the stolen numbers and withdraw cash at will from customers who have not changed their PINs since the hack attack.

So, again, if you used a debit or credit card at Target between Black Friday and Dec. 15, it would be wise to change the PINs on any cards you used.

Reuters was the first to report that PIN data had been stolen, but Target denied the story saying at the time that it had “no reason to believe that PIN data, whether encrypted or unencrypted, was compromised.”

Read Comments3

Edit Your Comment

  1. CharlesWinthrop says:

    And in a week or three we’ll hear “Well, yes, they did get the key too. But we’re sure they wouldn’t use them!”

  2. Saber says:

    As long as the card # was changed, the PIN # should be all right. The only times in which a PIN # was/is ever used on a cancelled card are few and far between – mostly because it makes the person using it incredibly easy to trace. Unfortunately (for the police and public at large) these people, while far from being the smartest criminals, seem smart enough to have not been using cards that are already cancelled. :/

  3. robinm says:

    What a PR disaster this has been from the very get-go. They have not handled this well at all.