Target Acknowledges Customers’ PIN Data Was Hacked

But the company said cards are still safe

  • Share
  • Read Later
Alex Wong / Getty Images

Target said Friday that its customers’ encrypted debit card PINs were obtained in a data breach during the holiday shopping season, but that accounts have not been compromised.

New forensic work revealed that encrypted PIN data, or the personal identification code used to protect credit or debit cards, was removed with the name and card numbers during the hack between Nov. 27 and Dec. 15, according to a company statement.

Target said it was still in the early stages of the investigation, but is “confident” debit card accounts were not compromised because the data was still strongly encrypted when it was taken. The statement said a PIN can only be decrypted after it is received by an independent payment processor.




Target claims there is a silver lining in all this, the 'glass half full': since the master key for the encryption of the credit card pins was separate from the breached Target system, the bad guys cannot unencrypt those pins. Target is therefore able to claim a kind of 'Safe Harbor' claim: that the key to decrypt the data could not have been taken, and "The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken."

Safe Harbor is a respectable concept with some clear technologies emerging to enable it, for both larger companies and (using cloud technology) for SMEs. For example, see