Target Corp attackers also stole encrypted PINs: Report

28 Dec 2013

The hackers who attacked Target Corp and compromised around 40 million credit cards and debit cards also stole encrypted personal identification numbers (PINs), Reuters said in an exclusive report, citing a senior payments executive familiar with the situation (See: 40 million credit, debit card accounts breached: Target).

Meanwhile, executives of a major US bank are worried the thieves might be able to crack the encryption code and make fraudulent withdrawals from consumer bank accounts - the data breach is still under investigation.

According to Target spokeswoman Molly Snyder, no unencrypted PIN data was accessed and there was no evidence that PIN data had been "compromised." Even as she confirmed that some "encrypted data" had been stolen, she declined to say if that included encrypted PINs.

"We continue to have no reason to believe that PIN data, whether encrypted or unencrypted, was compromised. And we have not been made aware of any such issue in communications with financial institutions to date," Snyder said by email. "We are very early in an ongoing forensic and criminal investigation."

The No 3 US retailer reported last week that hackers stole data from as many as 40 million cards used at Target stores during the first three weeks of the holiday shopping season, which made it the second-largest data breach in US retail history.

According to Target, the stolen personal identification numbers, which customers typed into keypads to make secure transactions, were encrypted which strongly reduced risk to customers, Associated Press reports.

According to security experts, it was the second-largest theft of card accounts in US history, surpassed only by a scam that started in 2005 involving retailer TJX Cos.

However, according to Gartner security analyst Avivah Litan, the PINs for the affected cards were vulnerable and people should change their codes since such data had been decrypted, or unlocked before.

In 2009, computer hacker Albert Gonzalez pleaded guilty to a number of charges, including conspiracy, wire fraud and other charges, coordinating debit and credit card breaches in 2005 targeting retailers, including TJ Maxx, Barnes & Noble and OfficeMax.

The group successfully unlocked encrypted data. According to Litan, changes had been made since then to make decrypting more difficult, nothing was infallible.