Hackers who stole data for up to 40 million credit cards and debit cards used in Target stores removed encrypted data containing personal identification numbers - but the theft isn't expected to compromise cardholder accounts - the company said Friday.
"We remain confident that PIN numbers are safe and secure," said a statement issued Friday by Target spokeswoman Molly Snyder.
According to the company, Target does not have access to or store the encryption key within the company's computer systems. When a Target customer uses a debit card in one of the company's stores and enters his or her PIN, the number is encrypted at the keypad with a widely used security program known as Triple DES, the company said.
Triple DES is the common name for the Triple Data Encryption Algorithm, a standard designed to thwart efforts to crack encrypted data. The PIN data can only be decrypted when it is received by the company's external payment processor, Target said.
"What this means is that the 'key' necessary to decrypt that data has never existed within Target's system and could not have been taken during this incident," the company said, adding "the most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken."
Brian Krebs, a computer security expert whose website first reported news of the data breach, said in a phone interview Friday that Target's new disclosure means the thieves would have to find a way to break into electronic systems of the payment processing company that works with the retail chain.
"It would involve a much more elaborate and multi-party compromise," said Krebs, who added "that's a good thing," for worried Target cardholders.
However, proposed class-action lawsuits filed against the nation's third-largest retailer in the wake of the massive November-December data breach have alleged that thieves might find a way to break the encryption and use the PIN numbers to withdraw money from cardholders' bank accounts.
A Reuters report earlier this week cited similar concerns and said an executive of at least one major bank voiced fear that the thieves might make fraudulent withdrawals.
Along with the encrypted PIN Data, Minneapolis-based Target previously said that data thieves stole customer names, credit and debit card numbers, card expiration dates and the embedded code on the magnetic strip on back of cards used at Target between Nov. 27 and Dec. 15.
Target announced Monday that the Department of Justice is investigating the data theft, which has been called the second largest in U.S. history. The Consumer Financial Protection Bureau also said it was reviewing congressional calls to investigate Target's data security and handling of the breach.
The company has not yet filed a formal disclosure of the incident with the Securities and Exchange Commission.
Contributing: Mike Snider