Target Admits Encrypted PIN Data Was Stolen In Data Breach

The data breach that affected 40 million Target (NYSE: TGT) shoppers also put customers' debit card PIN numbers at risk, Target confirmed, reversing its earlier stance that the codes were not part of the hack. According to Target, however, the PINs themselves remained encrypted after they were stolen and the encryption cannot be broken by whoever took them.

"While we previously shared that encrypted data was obtained, this morning through additional forensics work we were able to confirm that strongly encrypted PIN data was removed," Molly Snyder, a spokeswoman for Target, said Friday. "We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system and remained encrypted when it was removed from our systems."

Here's how it works: When a Target customer uses a debit card in one of the company's stores and enters his or her PIN, the number is encrypted at the keypad with a widely used security program known as Triple DES. This means that Target's payment system translates PINs into an indecipherable string of code. Target said it doesn't store the key to the encryption within its computer systems, therefore, it could not have been stolen by the hackers. The numbers can only be decrypted by the independent payment processor, which holds the decryption key.

Despite customer PIN numbers being potentially compromised, analysts predict that it is unlikely that thieves would be able to withdraw money from ATMs using stolen debit card information. As a precaution, however, Target customers who shopped at Target when the breach occurred have been encouraged to contact their banks to request a replacement card and change their PIN.

Since news of the data breach was made public, Target has undergone widespread criticism and suffered a big blow to its once-popular image. Target's customer-perception level has plummeted to its lowest since at least 2007 and stood at negative 22 last week, according to YouGov BrandIndex. That means 22 percent more shoppers have a negative perception of the brand than have a positive perception. Prior to the data breach, Target had a positive score of 37 as of Dec. 11. With word of the final shopping days before Christmas, the company has also suffered a big hit in vital year-end traffic and sales.

Not only has Target taken a hit to its brand image, the company is also facing several class-action lawsuits. A review of federal court records shows that Target has been named in at least 40 different lawsuits across the country related to the data breach. The lawsuits accuse Target of violating various state laws and of committing negligence in the way it handled customer data and reported the breach. Some of the lawsuits allege that thieves might find a way to break the encryption and use the PINs to withdraw money from card holders' bank accounts.

For more see:
-This Wall Street Journal article
-This USA Today article

Related stories:
Target Suffers Reduced Traffic After Breach, Hit With More Lawsuits
Target Sued Over Data Breach As Customer Backlash Causes PR Nightmare
Target Data Breach Affects 40 Million Customers
Target's New Awesome Shop Aims To Drive Mobile Sales
Target Boosts Mobile Shopping For The Holidays
Target Will Up mCommerce Investment