Target Confirms Unauthorized Access to Encrypted PIN Data in U.S. Stores

Don Miller

The door has closed on 2013, but as I look back at the last data breach of the year, the theft of records for 40 million U.S. based Target store customers has fast become the second largest retail data breach in U.S. history.

The breach was reported December 18 by the website Krebs on Security, and Target later confirmed that hackers had access to the company’s network from November 27 through December 15.  Initially, Target confirmed that customer information (names, credit card numbers, etc.) was the only data accessed, but later announced that encrypted PIN (Personal Identification Number) data was taken as well.

Encrypted PIN Data Stolen

Target spokesperson Molly Snyder said, “We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.”

Target, meanwhile, said it does not have access to the encryption key used to secure the PIN data, nor was it stored on its systems.

“The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor,” Snyder said. “What this means is that the ‘key’ necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident.”

Snyder said, “PIN data is encrypted at a retail location’s keypad with Triple-DES encryption and that data remains encrypted over the wire until it reaches its payment processor. Attackers would have to have compromised the point-of-sale system and intercepted the PIN data before it is encrypted in order to have accessed it.”

What This Means for Target Customers

If the attackers have the PIN data and are able to crack the encryption, they will be able to create counterfeit debit cards and steal money from ATM machines.  According to Snyder, however, the “most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken.”

Target has brought in the U.S. Secret Service and U.S. Department of Justice to investigate the breach, along with an unnamed third-party computer forensics firm.

This data breach has put millions of Target customers at risk, and should serve as a reminder for all organizations that they need to have a high-grade secure data encryption solution in place.

bTrade Can Help You Secure Your Data

Data breaches seem to have become less noteworthy and so commonplace that they receive little more than a shrug of the shoulders.  A data breach should not be common or recurring.   Protect your organization by deploying a data encryption solution that can securely and effectively transmit, store and manage confidential data.  Please email us at to learn how bTrade solutions can help keep your data secure.