Staff Writer
Columbus CEO

c.2013 New York Times News Service

SAN FRANCISCO — After hackers made off with the credit and debit card data of 40 million Target customers, the retailer said the personal identification numbers, or PINs, of those customers had been spared.

Not so.

On Friday, Target backtracked from previous statements and said cybercriminals had taken customers’ encrypted PIN information, too. The admission was the latest installment in Target’s worst nightmare.

Beginning Nov. 27, the day before Thanksgiving, hackers broke into the payment systems inside Target stores, so-called point-of-sale systems, and, over the course of the next three weeks, stole the credit and debit card data of 40 million customers, including their names and the expiration dates and security codes of their cards. It was the second-largest breach of a retailer on record, after a 2005 breach at T.J. Maxx that compromised records for 90 million customers.

Earlier this month, Target customers’ data was popping up in the black market. Criminals can copy that data onto counterfeit cards that can be used for purchases or to buy gift cards that can be exchanged for cash. Each counterfeit credit card can be worth as much as $100. In the first week after Target confirmed it had been breached, the one saving grace appeared to be that PINs associated with debit cards had not been stolen.

With those gone now, too, Target scrambled Friday to reassure customers that their PINs were protected by encryption and that the keys to descramble its codes had been stored separately from the systems that had been hacked. The retailer is working with private forensics teams to investigate the breach, and the Secret Service and Justice Department continue to investigate as well.

“We remain confident that PINs are safe and secure,” Molly Snyder, Target’s spokeswoman, said in an email. “The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.”

But security experts say encryption may provide only temporary relief. When it comes to security, experts say the general rule of thumb is that where there is a will, there is a way.

For profit-minded cybercriminals, PIN data is some of the most coveted of all. With PINs, cybercriminals can make withdrawals from a customer’s account through an ATM. And even if Target stored the keys to unlock its encryption on separate systems, security experts say, that has not stopped hackers previously.