Target: Encrypted PINs were stolen

ATLANTA

- Target said yesterday that debit-card PINs were among the financial information stolen from millions of customers who shopped at the retailer earlier this month.

The company said the stolen personal identification numbers, which customers type into keypads to make secure transactions, were encrypted and that this strongly reduces risk to customers. In addition to the encrypted PINs, customer names, credit- and debit-card numbers, card expiration dates and the embedded code on the magnetic strip on back of the cards were stolen from about 40 million credit and debit cards used at Target stores between Nov. 27 and Dec. 15.

"We remain confident that PIN numbers are safe and secure," spokeswoman Molly Snyder said in an emailed statement yesterday. "The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems."

However, Gartner security analyst Avivah Litan said yesterday that the PINs for the affected cards are vulnerable and people should change their codes since such data has been decrypted, or unlocked, before.

"It's not impossible, not unprecedented [and] has been done before," she said.

Besides changing your PIN, Litan said shoppers should instead opt to use their signature to approve transactions because it is safer. Still, she said Target did "as much as could be reasonably expected" in this case.