Target Corporation (NYSE:TGT) confirmed that the hackers responsible for the data security breach involving approximately 40 million credit and debit cards managed to steal the “strongly encrypted” PINs of consumers.

Target

Target says PINs are secure

The retailer remained confident that the PINs are safe and secure. According to Target Corporation (NYSE:TGT), the PIN information was fully encrypted at the keypad and still fully encrypted within its system even when removed from its system.

Target Corporation (NYSE:TGT) explained, “When a guest uses a debit card in our stores and enters a PIN, the PIN is encrypted at the keypad with what is known as Triple DES. Triple DES encryption is a highly secure encryption standard used broadly throughout the U.S.”

According to the retailer, it does not have access to or store the encryption key within its system, and the PIN information is encrypted within the systems of Target Corporation (NYSE:TGT). The company emphasized that the PIN can only be decrypted when received by its external, independent payment processor.

Key needed to decrypt PINs could not have been taken

Target Corporation (NYSE:TGT) said, the key necessary to decrypt PINs “never existed within Target’s system and could not have been taken during this incident.” The retailers added, “The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers [sic] being taken.”

The company’s investigation into the data security breach is still in the early stages. Target Corporation (NYSE:TGT) previously confirmed that it is working with the Department of Justice (DOJ) and the Secret Service in the ongoing investigation regarding the incident.

Several attorneys general requested additional information regarding the data security breach and lawmakers from Connecticut are calling for an investigation into the security infrastructure of Target Corporation (NYSE:TGT). The company is also facing class action lawsuits filed by consumers alleging that it failed to implement and maintain reasonable security procedures and practices that led to the cyber attack.