ATLANTA - Target Corp. now says customers' encrypted PIN data were removed from its files during the massive security breach this month.
Previously, Target had said encrypted data were stolen, but stopped short of identifying the data as PIN numbers. But the company issued a statement Friday saying additional forensic work has shown that encrypted PIN data were removed along with customers' names and card numbers.
Data connected to about 40 million credit and debit cards used at Target were stolen between Nov. 27 and Dec. 15.
Security experts say it is the second-largest theft of card accounts in U.S. history, surpassed only by a scam that began in 2005 involving TJX Cos. In addition to the encrypted PIN numbers, the stolen data from Target included customer names, credit and debit card numbers, card expiration dates, and the embedded code on the magnetic strip on the back of the card.
Still, Target said it believes the PIN numbers are safe because the information was strongly encrypted. The retailer said PIN information can only be decrypted when received by its external, independent payment processor.
"We remain confident that PIN numbers are safe and secure," said spokeswoman Molly Snyder in a statement. "The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems."
Minneapolis-based Target said it was still in the early stages of investigating the breach. It has been working with the Secret Service and the Department of Justice.