Unnamed sources close to the Target hacking incident revealed last week have confirmed with Reuters that encrypted personal identification numbers (PINs) were also stolen. One major U.S. bank even fears that the thieves will be able to crack the encryption code and make huge, fraudulent withdrawals from consumer bank accounts.
A Target rep reassured Reuters on Friday that "no unencrypted PIN data was accessed," and so far there is no evidence to support talk that PIN data was "compromised." However, the rep did confirm that some encrypted data was stolen, but did not say that PINs were part of the theft.
"We continue to have no reason to believe that PIN data, whether encrypted or unencrypted, was compromised. And we have not been made aware of any such issue in communications with financial institutions to date," Target spokeswoman Molly Snyder said by email. "We are very early in an ongoing forensic and criminal investigation."
Last week, Target confirmed that hackers managed to access its computers and stole the credit and debit information of around 40 million customers who shopped at Target, which has nearly 1,800 stores nationwide, between November 27 and December 15. The thieves retrieved customer names, credit card numbers and expiration dates.
Target reported the infiltration to banks that issue debit and credit cards on December 18. The public didn't know about the breach until a day later, December 19.
As of last Friday, two separate class action lawsuits were filed in U.S. District Court in Minnesota, filed on behalf of three Target customers who claim they're suing for all affected customers. They are accusing the company of negligence, and claim that the company failed to notify customers as soon as it learned of the theft.
Reuters reports that several banks have lowered limits on how much customers can withdraw from ATM machines, and how much they can charge/spend each day. This is reportedly a highly unusual move for banks, and shows that financial institutions fear that hackers will break the encryption and drain them dry.
"That's a really extreme measure to take," said Avivah Litan, a Gartner analyst, regarding the reduced spending limits. "They definitely found something in the data that showed there was something happening with cash withdrawals."
The big worry about encrypted PINs is that if the hackers are sophisticated enough to infiltrate Target for three weeks, then they're likely sophisticated enough to break the encryption.
UPDATE: Yes, encrypted PIN numbers were stolen, but not the encryption key. The full announcement can be read here.