Target Confirms Encrypted PIN Theft After All

The retailer says that debit accounts remain secure thanks to strong encryption.

  • Share
  • Read Later

Target is no longer pseudo-denying that encrypted PINs were stolen in the holiday shopping security breach that resulted in 40 million compromised payment cards.

In a statement, Target has confirmed a Reuters report from Wednesday that said hackers collected the encrypted PINs:

While we previously shared that encrypted data was obtained, this morning through additional forensics work we were able to confirm that strongly encrypted PIN data was removed. We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.

Target further explains how the encryption works:

When a guest uses a debit card in our stores and enters a PIN, the PIN is encrypted at the keypad with what is known as Triple DES. Triple DES encryption is a highly secure encryption standard used broadly throughout the U.S.

Target does not have access to nor does it store the encryption key within our system. The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor. What this means is that the “key” necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident.

This is the response Target should have issued from the beginning, rather than giving the impression that the Reuters report was bogus. Or, if Target was just trying to make absolutely sure that encrypted PINs were stolen, a simple “we’re still working to confirm this” would have been better than PR doublespeak.

Still, let’s give Target some credit for a proper explanation, even if it’s a bit overdue.


Target claims there is a silver lining in all this, the 'glass half full': since the master key for the encryption of the credit card pins was separate from the breached Target system, the bad guys cannot unencrypt those pins. Target is therefore able to claim a kind of 'Safe Harbor' claim: that the key to decrypt the data could not have been taken, and "The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken."

Safe Harbor is a respectable concept with some clear technologies emerging to enable it, for both larger companies and (using cloud technology) for SMEs. For example, see


Insecurity in most secure domain where does it end