Target confirms PIN data also stolen in credit/debit card hack
by Chris Morran, Consumerist
After days of denying a report that hackers had stolen encrypted PIN data from some 40 million Target shoppers, the retailer has finally admitted that yes, this information was indeed collected during the 3-week-long data breach.
Because the PIN info is encrypted, Target tells USA Today, “We remain confident that PIN numbers are safe and secure.”
Without the encryption key used by Target’s external payment processor, that PIN info can not be accessed. Target says this key was never stored on the retailers’ payment systems so it could not have been stolen during the breach.
But if the hackers were able to obtain that key, they would be able to encode dummy debit cards with the stolen numbers and withdraw cash at will from customers who have not changed their PINs since the hack attack.
So, again, if you used a debit or credit card at Target between Black Friday and Dec. 15, it would be wise to change the PINs on any cards you used.
Reuters was the first to report that PIN data had been stolen, but Target denied the story saying at the time that it had “no reason to believe that PIN data, whether encrypted or unencrypted, was compromised.”