Ouch: Target Confirms Encrypted PIN Codes Were Stolen in Data Theft


Target (NYSE:TGT) had more data security updates to share Friday, but unfortunately, its news wasn’t all that rosy. The Minneapolis, Minnesota-based retailer confirmed in a blog post that PIN codes used to secure ATM cards were indeed stolen as part of the massive data breach that involved 40 million cards used at Target stores during a three-week period.

In its admission, Target maintained that the stolen PIN information was “strongly encrypted” when it was removed, and asserted that, “We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.”

Target was careful to explain the convoluted encryption process that a thief would have to go through to access consumers’ bank account information, explaining that, “Target does not have access to nor does it store the encryption key within our system. The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor.” However, despite its fervent assertions, Target customers are still expected to foster heightened concern over the security of their information, and they may be less likely to visit Target stores in the future, further damaging the company in the wake of the second largest security breach suffered by a U.S. retailer.

Target has now been working with investigators for more than a week to determine how hackers accessed the data from 40 million cards used at Target stores from November 27 to December 15. When the retailer first confirmed the large scale security breach on December 19, Target shares plunged and haven’t fully recovered since. During the lucrative holiday shopping season, the data theft came at the worst time possible for the brick and mortar retailer, but unfortunately, more than just the holiday sales are suffering. Future forecasts are feeling the burn, too.

Many analysts have now cut their earnings predictions for the company, especially after Target saw a 5 percent reduction in customer traffic the final weekend before Christmas. One such brokerage is Cowen & Co. (NASDAQ:COWN), which explained its belief that the incident is likely to scare away potential customers as well as impact the company’s margins. Several other analysts recently joined the Target pessimist bandwagon, and this newest update isn’t expected to help matters.

Target has a valid point that it would be significantly difficult for thieves to upset the encryption process and get their hands on the necessary account information in order to make fraudulent withdraws, but for many consumers, hearing that PIN codes were indeed stolen was the only excuse they needed to avoid Target stores in the future. Target offered a meticulous explanation of the encryption process in its blog post Friday, concluding with, “The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken,” but the jury is still out as to whether customers really believe it.

More From Wall St. Cheat Sheet