Skip to main content

Target Says Hackers Stole Encrypted PIN Numbers

Unnamed sources close to the Target hacking incident revealed last week have confirmed with Reuters that encrypted personal identification numbers (PINs) were also stolen. One major U.S. bank even fears that the thieves will be able to crack the encryption code and make huge, fraudulent withdrawals from consumer bank accounts.

A Target rep reassured Reuters on Friday that "no unencrypted PIN data was accessed," and so far there is no evidence to support talk that PIN data was "compromised." However, the rep did confirm that some encrypted data was stolen, but did not say that PINs were part of the theft.

"We continue to have no reason to believe that PIN data, whether encrypted or unencrypted, was compromised. And we have not been made aware of any such issue in communications with financial institutions to date," Target spokeswoman Molly Snyder said by email. "We are very early in an ongoing forensic and criminal investigation."

Last week, Target confirmed that hackers managed to access its computers and stole the credit and debit information of around 40 million customers who shopped at Target, which has nearly 1,800 stores nationwide, between November 27 and December 15. The thieves retrieved customer names, credit card numbers and expiration dates.

Target reported the infiltration to banks that issue debit and credit cards on December 18. The public didn't know about the breach until a day later, December 19.

As of last Friday, two separate class action lawsuits were filed in U.S. District Court in Minnesota, filed on behalf of three Target customers who claim they're suing for all affected customers. They are accusing the company of negligence, and claim that the company failed to notify customers as soon as it learned of the theft.

Reuters reports that several banks have lowered limits on how much customers can withdraw from ATM machines, and how much they can charge/spend each day. This is reportedly a highly unusual move for banks, and shows that financial institutions fear that hackers will break the encryption and drain them dry.

"That's a really extreme measure to take," said Avivah Litan, a Gartner analyst, regarding the reduced spending limits. "They definitely found something in the data that showed there was something happening with cash withdrawals."

The big worry about encrypted PINs is that if the hackers are sophisticated enough to infiltrate Target for three weeks, then they're likely sophisticated enough to break the encryption.

UPDATE: Yes, encrypted PIN numbers were stolen, but not the encryption key. The full announcement can be read here.

  • dextermat
    Epic facepalm... Target just got in Sherbrooke(canada) and nothing on the shelves, with a big mistake like that, they should stay in the US!
    Reply
  • COLGeek
    To quote the great Homer (Simpson)...."Doh!!!"
    Reply
  • jacobdrj
    PIN numbers and ATM machines in the same article... Shame on toms hardware editors...
    Reply
  • osamabinrobot
    next week when we find out whoever pulled this also got into their payment processor shits really gonna hit the fan huh
    Reply
  • rantoc
    Another day, another cloud disaster.... gotta love the logic to collect all the eggs in one spot...
    Reply
  • Rhinofart
    @Jacobdrj
    Why is it shame on Tom's Hardware editors? You do know that the PIN you use at the till is the same one you use at the ATM right?
    Reply
  • ddpruitt
    PIN numbers and ATM machines in the same article... Shame on toms hardware editors...

    And yet another moron. The PIN can be used to easily take money out of an ATM. There is more than video on youtube of someone using something as innocuous as a prepaid phone card to program as a debit card to withdraw money from an ATM. With the PIN number it wouldn't take long to clean out an account.

    Now for those who don't know STORING the PIN numbers is a major PCI compliance violation, for the very obvious reasons here. No merchant is ever allowed to store the PIN number or the CVV/CVN number on the back of your card. If the Payment Processing Industry is serious about security they'll ban Target from accepting their debit/credit cards. I'm interested to see what happens here.
    Reply
  • techguy911
    This article is WRONG they got the pin numbers unencrypted it was posted on targets website seems the malware was in the card terminal and prob keylogged the pin pad as well as get stripe info.
    http://money.cnn.com/2013/12/27/technology/target-pin/index.html?hpt=hp_c2
    Reply
  • techguy911
    I don't think Target was storing the pin numbers for what i have read the malware reads memory locations in the POS and possibly the pin pad.

    http://storefrontbacktalk.com/securityfraud/thousands-of-cards-compromised-at-retailers%E2%80%99-pos/
    Reply
  • rogue3542
    Rhinofart and ddpruitt,

    PIN is an acronym for "personal identification number;" likewise, ATM is an acronym for "automated teller machine." Thus, when the author writes "PIN number," it actually means personal identification number number, and "ATM machine" is automated teller machine machine. Perhaps you should leave the hyperbole and epithets by the wayside.
    Reply