Target (TGT) said additional forensics work Friday morning revealed that encrypted PIN numbers were stolen in the recent breach of its payments system, but the data is believed to remain secure.
The retailer disclosed last week that up to 40 million credit and debit cards were exposed in a massive data breach from Nov. 27 to Dec. 15. Consumers who shopped at Target stores during that period were potentially impacted, and banks such as J.P. Morgan Chase (JPM) put spending limits on cards to thwart fraudulent charges.
Customer names, card numbers, expiration dates and security codes were stolen in the breach. Target previously said there was no indication that PIN numbers on bank-issued or Target debit cards were compromised.
On Friday, additional investigative work confirmed that encrypted PIN data was removed from Target’s system. The numbers, which are encrypted at the keypad, remain secure since the key used to decrypt the information is only held by its external payment processor, Target explained.
“The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken,” said Molly Snyder, a spokeswoman for the company.
The latest update from Target comes as some state attorneys general question whether the retailer had proper safeguards to prevent customer data from being stolen.
According to Target, the stolen PIN numbers were encrypted using Triple DES, a commonly-used encryption standard.
Shares of Target were down 26 cents at $62.22 early Friday afternoon. The stock has fallen about 2% since news of the data breach surfaced.