Target admits encrypted PIN data was stolen during credit, debit card security breach

ATLANTA - Target says that customers' encrypted PIN data was removed during the data breach that occurred earlier this month.

The company issued a statement Friday that additional forensic work has shown that encrypted PIN data was removed along with customers' names and card numbers. But Target says it believes the PIN numbers are still safe because the information was strongly encrypted. It says the PIN can only be decrypted when received by its independent payment processor.

A PIN number is the personal identification code used to make secure transactions on a credit or debit card.

Data connected to about 40 million credit and debit cards used at Target were stolen between Nov. 27 and Dec. 15.

Minneapolis-based Target says it is still in the early stages of investigating the breach.

Target has 1,797 stores in the U.S. and 124 in Canada.

Paul Hartwick, spokesman for Chase Bank, one of the largest U.S. credit card issuers, helped break down what to do if your credit or debit card was affected. 

Q: How do I know if my credit card data was stolen?

A: Target officials said if you shopped at one of the stores between Nov. 27 and Dec. 15, 2013, you should check your account for unusual activity. This is not limited to Target-card holders. Anyone who used a credit card at the stores could be affected.

"The best way to figure out whether your account has been breached is keep an eye on your account. Look for transactions you don't recognize. The good news is that Chase and many other banking institutions will not hold you liable for these charges," said Hartwick. 

Q: How is Target handling the security breach?

A: In an announcement  posted to its website, Target officials did not say when they first learned of the breach but it has been investigating. Target has alerted authorities and financial institutions and urged credit card users to work with the three credit reporting companies if fraudulent activity is suspected. 

Q: Has the issue been resolved?

A: Target said in its announcement that the data issue is resolved.

Q: What should I do if my card has been breached?

A: The first step is to contact your banking institution. Often there will be a number on the back of your card, according to Hartwick. The important thing to remember, he said, is that you can continue to use your card normally. Target Corp. also suggested in a release to contact the Federal Trade Commission or law enforcement to report incidents of identity theft or to learn about steps you can take to protect yourself from identity theft.  To learn more, you can go to the FTC’s Web site, at, or call the FTC, at (877) IDTHEFT (438-4338) or write to Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580.

Q: Is it possible to recover any money stolen from credit or debit accounts?

A: Chase Bank, in addition to many other U.S. banks, will not hold you liable for fraudulent charges as long as they are identified in a timely manner.

Q: How did the Target security breach happen?

A: Officials have not said how the breach occurred or if they know who is responsible.

Q: Might such a large security breach become more common in the future?

A: Bad guys are always at work, and it's important that merchants as well as customers stay aware, Hartwick said.

Q: What are best practices a consumer can keep in mind to avoid this happening again?

A: A large amount of fraud is stopped before it starts, according to Hartwick. "Chase and other banks often monitor accounts for suspicious activity and stop fraud before you ever see it on your account," he said. It's still important, however, to check your bank account regularly and make sure there are no charges that you don't recognize. "The biggest and best thing customers can do is be aware, shop at reputable places such as Target, monitor your account information, be in contact with your card issuer and be aware."

Print this article Back to Top