Target: Encrypted PIN numbers taken in recent credit card data theft

Last week, retailer Target announced that 40 million credit and debit card numbers had been taken from its database. So far, the identities of the people behind the cyber attack are still unknown but today Target revealed the theft also involved the PIN numbers that were linked to those cards.

In theory, the thieves who took the PIN numbers could use them in combination with the credit card data to make withdrawals from customer bank accounts. However, Target's statement today claims that the numbers are "strongly encrypted", adding that the encryption key needed to unlock those PINs is part of an external and independent payment database. Target said, "The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken."

The credit card data was taken from Target's servers between November 27th and December 15th. The Krebs on Security website, which first broke the story of the Target cyber attack, says that many of those credit card numbers are now being distributed in underground online shops frequented by hackers. Target has said it plans to offer free credit monitoring to the customers that have been affected by this incident but details have not been announced.

Source: Target | Credit card encrypt image via Shutterstock

Report a problem with article
Previous Story

Chinese government bans 'Battlefield 4,' claims it 'smears China's image'

Next Story

YouTube puts in new “2160p 4K” option for video settings

19 Comments

Commenting is disabled on this article.

Chip and PIN is a UK brand name, so it's not likely you'd see it in the US initially. The use of smart cards isn't new. The first project I worked on was in the late 90s. They did a pilot program during the Atlanta Olympics in 1996. That was before most people had really heard of this new Internet thing.

Some people post before they even read-up on the history of the whole affair and realise that the point of sale software was compromised.

How cute :-)

paul0544 said,
Some people post before they even read-up on the history of the whole affair and realise that the point of sale software was compromised.

How cute :-)

That's what happens when you out source to India!

I shopped at Target after all of this. Been checking my statements almost daily. No odd activity...yet...

Almost tempted to call up my credit card co and bank for new cards. What do you think?

Yeah we shop at Target for groceries and other crap and had several transactions during this period. Chase is automatically issuing new cards for my wife and I -- though now apparently I should change our PINs.

So far I haven't seen any odd activity yet either.

EDIT: My new debit card arrived today actually. Chase being proactive was nice.

Edited by scumdogmillionaire, Dec 28 2013, 2:23am :

It would be easy to do 4 digits if you had access to the encryption key as running 10,000 encryptions wouldn't take long. If not, the encrypted data is useless and you might as well try random PINs hoping to hit a percentage.

More likely than not, Target was complying with the rules and the PIN numbers were stolen while in transit. This was an extremely sophisticated hack.

Why would you ever store the pin - how did you even get the pin from a credit card.... do you not comply with PCI DSS ?

IIRC, wasn't this hack done while the data was being transferred? So in that case they could be able to sniff out the pin if you were using a debit card as a debit transaction IIRC.

Well, PCI DSS doesn't allow you to store the PIN or the security code.. but if I recall correctly...that if your server set up is actually locked in the cage in dungeon... you would be able to. I mean, i am fairly certain companies like PayPal stores your security code.

And I think Target has big enough wallet to store all your sensitive data inside a cage.