Target has confirmed that encrypted debit card PIN data was stolen as part of the massive hack carried out against the retailer between late November and early December. The company previously admitted that card numbers and expiration dates were compromised in the attack that affected 40 million customers. That data has already started appearing on the black market, which in turn has put financial institutions across the US on high alert as banks look to protect customers from fraudulent activity.
Target says it remains confident that identification numbers are "safe and secure" thanks to the Triple DES encryption it uses to protect sensitive data. “The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems,” the company said in a statement. When you make a debit purchase at one of Target's stores, your card information is "encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor,” the retailer says. "What this means is that the ‘key’ necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident." To underline that point, Target closes its latest update on the incident by saying, "The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken."
The retailer has confirmed that it is working alongside the Justice Department and United States Secret Service to find those responsible for the breach, which was timed to coincide with the incredibly popular holiday shopping season. Class action lawsuits accusing Target of not doing enough to protect consumer data are already starting to pile up.