Target Corp. is denying a widely circulated report that the information stolen by cyber criminals in a massive breach of credit and debit card data included customer’s debit card PINs
Citing a “senior payments executive familiar with the situation,” Reuters reported early Christmas Day that the data thieves have the encrypted PINs and may be able to unlock them to siphon cash out of customers’ accounts. Reuters’s story did not name the executive, who spoke on condition of anonymity in the midst of the ongoing investigation of the breach.
The story also did not indicate how many PINs may have fallen into criminals’ hands. The breach, one of the largest ever reported, involves data associated with as many as 40 million cards used at Target stores between Nov. 27 and Dec. 15.
Target has so far released little information on how the breach occurred. But in response to the latest report ,a spokesperson for the company issued a statement to Reuters denying any PINs have been compromised. “We continue to have no reason to believe that PIN data, whether encrypted or unencrypted, was compromised,” said the spokesperson. “And we have not been made aware of any such issue in communications with financial institutions to date. We are very early in an ongoing forensic and criminal investigation.”
Reuters reported that, while Target confirmed some unencrypted data were stolen, it did not indicate whether these data included PINs. Target did not immediately respond to a request from Digital Transactions News for further information.
Fears that criminals have captured encrypted PINs may have been at least partly responsible for a decision by some banks to impose limits on debit card purchases and withdrawals. JPMorgan Chase & Co. late last week placed daily limits of $300 on purchases and $100 on cash withdrawals for some 2 million cardholders whose cards had been identified as having been involved in the breach. The bank on Monday raised those limits to $1,000 for purchases and $250 for withdrawals.
The breach, which was disclosed Dec. 18 by the KrebsonSecurity blog, involves only cards used at Target’s nearly 1,800 U.S. stores. It is under investigation by the U.S. Secret Service and the Federal Bureau of Investigation. Target has reportedly hired a unit of Verizon Communications Inc. to conduct a forensics investigation.
Information from the breach is showing up for sale on so-called carder sites, online bazaars where data thieves advertise ill-gotten card information, including account numbers, expiration dates, and card-verification codes. Such data can be used to make counterfeit cards and conduct online purchases. There are no reports so far regarding whether the data for sale includes PINs.