Target has confirmed that the hackers who stole 40 million credit card numbers from customers using its in-store checkout system have also obtained the personal identification numbers (PINs) that accompany those cards.
But, Target said in a statement this afternoon, the PIN data is encrypted so it believes the numbers are not usable by the hackers:
While we previously shared that encrypted data was obtained, this morning through additional forensics work we were able to confirm that strongly encrypted PIN data was removed. We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.
The data can only be unencrypted by Target’s payment processor, so the encrypted data is useless, the company added.
The hackers stole the data by infecting Target’s brick-and-mortar retail store point-of-sale systems with malware. As shoppers swiped their cards at the checkout and punched in their PIN numbers, the hackers took copies. About 40 million cards were taken during the post-Black Friday period.
The card numbers are currently being sold on a black market web site allegedly run by this Ukrainian hacker. Meanwhile, in the U.S., banks are limiting cash withdrawals for customers who shopped at Target and asking account holders to change their security data or get new cards.
NOW WATCH: Tech Insider videos
Business Insider Emails & Alerts
Site highlights each day to your inbox.