US retailer Target has said hackers obtained “strongly encrypted” data in a recent security breach, but that customer debit cards do not appear to have been compromised.
“While we previously shared that encrypted data was obtained, this morning through additional forensics work we were able to confirm that strongly encrypted PIN (personal identification number) data was removed,” Target said in an update to the massive breach affecting some 40 million customers.
“We remain confident that PIN numbers are safe and secure.”
Target said the PIN data is encrypted within company systems that can only be decrypted by its “external, independent payment processor.” The “key” to decrypt the data is not part of the Target system and could not have been taken, it said.
“The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken,” Target said.
The big US retailer said on December 19 that some 40 million customers may have been affected after hackers broke into its payment database between November 27 and December 15.
Target has said previously that hackers had obtained data that included customer name, credit or debit card number, and the card’s expiration date and CVV (the three-digit security code).
The company is working with the Secret Service and the US Department of Justice to investigate the data breach.
Analysts consider the data breach one of the worst in recent memory. At least three class-action lawsuits have been filed on the matter.
Target shares were off 0.4 per cent at midday. Target shares have dipped 2.1 per cent since December 18, a period that has seen the broader market repeatedly lifted to new record highs.