Target has confirmed that encrypted debit card PIN numbers were also stolen as part of the massive Black Friday hack after vehemently denying such reports earlier in the week. The good news for shoppers, however, is that the key needed to decrypt the data was never in danger of being compromised.
In a statement on the matter, Target outlined how their system handles debit card purchases. When the PIN is entered, it is encrypted via Triple DES encryption within their system and can only be decrypted when it is received by their external, independent payment processor. As such, the key necessary to decrypt the data never existed in Target’s system and couldn’t have been stolen during the breach.
Unless the hackers are able to crack the high level encryption, there’s little chance that the stolen PINs will be of any use.
Card numbers, expiration dates and security codes from some 40 million cards were stolen between late November and mid-December according to the retailer. The information is already flooding the black market and is said to be priced at anywhere between a quarter to $100 per card based on the credit limit.
The retailer is working with the Justice Department and the Secret Service to try and locate those responsible for the breach. In the meantime, it’d probably be best to keep a close eye on your bank account and / or credit card account in the event you shopped at Target during the last month.