Target’s Stolen PIN Denial: A Lesson in PR Doublespeak

In response to more bad news, Target opts for the classic non-denial denial.

  • Share
  • Read Later
Reuters / Larry Downing

After the massive Target security breach that affected millions of customers, the retailer seems more concerned with its image than with keeping customers out of the dark.

That much became clear on Christmas Day, when Target appeared to deny a Reuters report that claimed the thieves made off with encrypted bank PINs. In reality, Target’s “denial” was anything but. Read closely, and you’ll find a carefully-worded public statement that doesn’t actually refute what Reuters wrote.

Here’s the key piece of the Reuters story:

The hackers who attacked Target Corp and compromised up to 40 million credit cards and debit cards also managed to steal encrypted personal identification numbers (PINs), according to a senior payments executive familiar with the situation.

The important word here is “encrypted.” If the hackers did steal encrypted PINs, it’d be kind of like stealing a safe without having the combination. Encryption is isn’t always hack-proof, so it’s worth knowing when encrypted personal data gets into the wrong hands. For this reason, tech firms routinely tell users to change their passwords after a security breach, even when the stolen passwords are encrypted.

Target’s denial, as reported by ABC News and others, deftly avoids the question of whether the hackers stole encrypted PINs (emphasis mine):

To date, there is no evidence that unencrypted PIN data has been compromised.

That’s great, but Reuters never said anything about unencrypted PIN data. This is a classic example of PR misdirection. The statement continues:

In addition, based on our communications with financial institutions, they have also seen no indications that any PIN data was compromised.

Now, we have another important word to deal with. Target says that no PIN data has been “compromised,” which suggests that the criminals haven’t been able to crack the encrypted PINs and clean out shoppers’ bank accounts. Again, that’s great news, but Reuters never reported that customers’ bank accounts had been compromised, only that encrypted data had been stolen.

The funny thing is that if you actually read Reuters’ report, you get the pleasure of watching Target PR squirm:

Target spokeswoman Molly Snyder said “no unencrypted PIN data was accessed” and there was no evidence that PIN data has been “compromised.” She confirmed that some “encrypted data” was stolen, but declined to say if that included encrypted PINs.

Target appears unwilling to address the issue of stolen encrypted PINs, and it’s easy to guess why: The more cards that get replaced, the greater the cost to banks, which may try to recoup those costs from Target. So far, Chase is the only bank that is replacing all compromised debit and prepaid cards.

Sadly, several other publications (TIME included) didn’t pick up on these nuances. They merely reported Target’s statement as a straight-up denial, casting doubt on Reuters and its “senior payments executive” source. In other words, the misdirection worked pretty well.

Update: On Friday, two days after the Reuters report, Target confirmed that encrypted PINs were stolen in the breach after all.

(MORE: How Easy Is It For Hackers To Get Your Information?)


While encrypted PINs can't be said to be absolutely secure, they are difficult to impossible to crack.  In general, PINs are the most protected part of payment transactions. PIN encryption doesn't use bad/crackable crypto concepts like Adobe did on their passwords. And while it's Triple DES-based, its actually quite strong. All debit PINs in the US are encrypted using the same few standards:

* PIN Block and PIN encrypytion: ANS X9.8 part 1 and ISO 9564.
* Key management: DUKPT from Annex A of ANS X9.24 part 1.

Each PIN pad is injected with a unique initial key that is a double-length Triple DES key. is used to derive up to 1 million future keys. Those are all unique per device. Each transaction uses a unique future key and that is derived into a PIN encryption key to encrypt the PIN block (according to the ANSI and ISO standards).

Encryption of the PIN block is Triple DES ECB using a unique key for that transaction for that device. Breaking the encryption for that key would be a 2^112 brute force effort (would take many years for one key, no shortcuts because only one ciphertext used that key). And breaking that key will get you exactly one PIN from that device. In all, cracking PIN blocks coming from PIN pads is not a low hanging fruit and not worth the effort.

Also, this is NOT like password encryption and hashing from compromised websites which do not have to follow standards and is easy to do insecurely (read: hackable). PIN pads and their design has to be lab certified and signed off by the PCI Security Council. Merchants can only use PCI certified PIN devices if they take debit cards. The lab tests for side channel attacks against PIN encryption, ensures physical security of the device, logical security of the device, that applications running on the device (if any) cannot impact/access PIN encryption, and that tampering devices causes them to erase encryption keys and lock down.

I personally would not be at all concerned about my PIN if the attackers only had encrypted PIN blocks. While stolen debit card with a credit card logo can still be used without a PIN for a credit transaction, they won't be able to access your bank account.


Sounds like Target's PR policy is being advised by former president Bill Clinton.