BOSTON/NEW YORK — The hackers who attacked Target Corp. and compromised up to 40 million credit cards and debit cards also managed to steal encrypted personal identification numbers (PINs), according to a senior payments executive familiar with the situation.
One major U.S. bank fears that the thieves would be able to crack the encryption code and make fraudulent withdrawals from consumer bank accounts, said the executive, who spoke on the condition of anonymity because the data breach is still under investigation.
Target spokeswoman Molly Snyder said “no unencrypted PIN data was accessed” and there was no evidence that PIN data has been “compromised.” She confirmed that some “encrypted data” was stolen, but declined to say if that included encrypted PINs.
“We continue to have no reason to believe that PIN data, whether encrypted or unencrypted, was compromised. And we have not been made aware of any such issue in communications with financial institutions to date,” Snyder said by email. “We are very early in an ongoing forensic and criminal investigation.”
The No. 3 U.S. retailer said last week that hackers stole data from as many as 40 million cards used at Target stores during the first three weeks of the holiday shopping season, making it the second-largest data breach in U.S. retail history.
Target has not said how its systems were compromised, though it described the operation as “sophisticated.” The U.S. Secret Service and the Justice Department are investigating. Officials with both agencies have declined comment on the investigations.
While the use of encryption codes may prevent amateur hackers from obtaining the digital keys to customer bank deposits, the concern is the coding cannot stop the kind of sophisticated cyber criminal who was able to infiltrate Target for three weeks.
Daniel Clemens, CEO of Packet Ninjas, a cyber security consulting firm, said banks were prudent to lower debit card limits because they will not know for sure if Target’s PIN encryption was infallible until the investigation is completed.
Target also said it has learned of some incidents of scam emails related to its recent data breach and is setting up a section of its corporate website to post copies of all official communication. That way customers can be sure they are really hearing from Target when they get emails from the retailer
The company says it is aware of “limited instances” of scam emails. Snyder said the company doesn’t have any other specifics to provide about the fake emails.The Associated Press contributed to this report.