Target Admits Customers’ PINs were Stolen

Target Corp. (Minneapolis) acknowledged that data related to shoppers’ personal identification numbers (PINs) were stolen during the recent breach of its debit and credit card system. However, the retailer said, it’s confident customers’ accounts haven’t been compromised because the information was encrypted.

A Target spokesperson said the PIN data can only be decrypted when they are received by Target’s external, independent payment processor. Since the key needed to decrypt the information never existed on Target’s system, it couldn’t have been taken during the breach, she said.

“We remain confident that PINs are safe and secure,” she said. “The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.”

“Typically pretty strong encryption is used for storage of those things,” Ray Trygstad, industry professor of information technology and management at the Illinois Institute of Technology (Chicago), told Bloomberg News. It’s “very unlikely” that the hackers will be able to decrypt the PINS, he said.

However, said Trygstad, “One risk still facing customers is that hackers could get access to PINs through a phishing scam, using the customer information they have, which includes e-mail addresses, to lure them to bogus sites where they would enter their card information and PINs.”

Bloomberg reported that the breach occurred when a computer virus infected Target’s point-of-sale terminals. The company is investigating the breach with the U.S. Justice Department and the Secret Service, which asked it not to share details of the probe.

Doug Johnson, vp of risk management policy at the American Bankers Association, told Women’s Wear Daily that the risk of cyberthefts will be reduced as financial institutions — including MasterCard, Visa and American Express — begin to roll out “chip and PIN” smartcard technology in the first quarter of 2015.

Already in use in the U.K., Ireland and much of Europe, said WWD, it combines chips embedded in credit and debit cards with personal identification numbers to establish the validity of the account.