Target finally said on Friday, December 27 that the data breach it suffered before Christmas had reached encrypted personal identification numbers or PINs, the Financial Times reported. The report said the information was an acknowledgement by the retailer that the attack was worse than its first public assessment. Around 40 million cards were compromised in one of the largest ever data hacks in the country, inconveniencing millions of shoppers at the height of the Christmas shopping season, the report said.
When PINs together with card data are accessed, it could potentially enable thieves to withdraw money through cash machines. However, Target said that they remained confident that the PIN numbers would stay safe and sure because the information was strongly encrypted.
Still a banker warned that the risk of having the PINs unencrypted and money stolen from the accounts of cardholders still existed. The incident, which occurred between November 27 and December 15, is being investigated by the Secret Service and the Justice Department.
To mitigate the effect of fraud resulting from the data breach, banks like JPMorgan placed caps on spending. Cash withdrawals for customers were initially limited to $100 while card purchases were capped at $300 which inconvenienced shoppers doing their last-minute Christmas shopping. Banks loosened the limits later on.
Forrester Research Security Analyst John Kindervag told FT that the encryption should remain secure but said that the breach of the PIN data questions the retailer's information storage. He said, "It shows that Target was aggregating a lot of data that was unnecessary for them in the back end. Assuming they did key management OK everything is fine; there's nothing to worry about. We call that killing your data, devaluing it by proper encryption. Most standardised algorithms - despite all the things you see on TV - generally can't be hacked or broken." To be on the safe side, he advises those using their debit card at Target to change their PIN numbers.
Join the Conversation