Target breach: Expert explains why stolen PIN data is worth worrying about

Target says there's nothing to worry about, but not everyone agrees.
Target says there's nothing to worry about, but not everyone agrees.

Today, Target confirmed that in addition to credit card numbers, the cyberthieves who recently victimized roughly 40 million shoppers made off with "strongly encrypted" PIN data.

RELATED: Target breach: Tech blogger outs guy allegedly selling stolen card info [PHOTOS]

That seems extremely concerning, because stolen PINs suggest whole accounts are at risk, not just particular cards. But in a statement, Target officials asked customers not to panic.

"We remain confident that PIN numbers are safe and secure," the Target statement says. "The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems."

RELATED: Target Breach: Top 10 tweets

But in a Wednesday Reuters report that broke the news about stolen PINs, Daniel Clemens, CEO of cyber security consulting firm Packet Ninjas, said news that PINs were stolen -- encrypted or not -- is sufficient cause for concern, despite what Target says.

From the report:

As an example of potential vulnerabilities in PIN encryption, Clemens said he once worked for a retailer who hired his firm to hack into its network to find security vulnerabilities. He was able to access the closely guarded digital "key" used to unscramble encrypted PINs, which he said surprised his client, who thought the data was secure.

In other cases, hackers can get PINs by using a tool known as a "RAM scraper," which captures the PINs while they are temporarily stored in memory, Clemens said.

Officials at JPMorgan Chase, the largest bank in America, appear to be at least somewhat concerned about the stolen PINs, as news of the Target breach caused them to lower limits on how much cash customers can take out of teller machines and spend at stores.

"That's a really extreme measure to take," Avivah Litan, a Gartner analyst who specializes in cyber security and fraud detection, told Reuters, referring to JPMorgan's move. "They definitely found something in the data that showed there was something happening with cash withdrawals."

As a way to make up for the breach, Target offered a 10 percent discount on some store purchases last weekend. But that wasn't enough to make up for all the negative publicity -- Target's transaction numbers were 3 to 4 percent down from the same weekend a year ago, the HuffingtonPost reports.

-- Follow Aaron Rupar on Twitter at @atrupar. Got a tip? Drop him a line at [email protected]

Sponsor Content


All-access pass to top stories, events and offers around town.

Sign Up >

No Thanks!

Remind Me Later >