You are here
Target: Customers’ encrypted PINs stolen
ATLANTA—Target said debit card PIN numbers were among the financial information stolen from millions of US customers who shopped at the retailer earlier this month.
The company said the stolen personal identification numbers, which shoppers type in to keypads to make secure transactions, were encrypted and that this strongly reduces risk to customers. In addition to the encrypted PINs, customer names, credit and debit card numbers, card expiration dates and the embedded code on the magnetic strip on back of the cards were stolen from about 40 million credit and debit cards used at Target between Nov 27 and Dec 15.
Security experts say it’s the second-largest theft of card accounts in US history, surpassed only by a scam that began in 2005 involving retailer TJX Cos. Target said it doesn’t have access to nor does it store the encryption key within its system, and the PIN information can only be decrypted when it is received by the retailer’s external, independent payment processor.
“We remain confident that PIN numbers are safe and secure,” spokeswoman Molly Snyder said in an emailed statement. “The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.”
However, Gartner security analyst Avivah Litan said the PINs for the affected cards are not safe and people “should change them at this point”. Minneapolis-based Target said it is still in the early stages of investigating the breach. It has been working with the US Secret Service and the Department of Justice.
User comments posted on this website are the sole views and opinions of the comment writer and are not representative of Guardian Media Limited or its staff. Guardian Media Limited accepts no liability and will not be held accountable for user comments.
Please help us keep out site clean from inappropriate comments by using the flag option.
Guardian Media Limited reserves the right to remove, to edit or to censor any comments. Any content which is considered unsuitable, unlawful or offensive, includes personal details, advertises or promotes products, services or websites or repeats previous comments will be removed.