Last week, retailer Target announced that 40 million credit and debit card numbers had been taken from its database. So far, the identities of the people behind the cyber attack are still unknown but today Target revealed the theft also involved the PIN numbers that were linked to those cards.
In theory, the thieves who took the PIN numbers could use them in combination with the credit card data to make withdrawals from customer bank accounts. However, Target's statement today claims that the numbers are "strongly encrypted", adding that the encryption key needed to unlock those PINs is part of an external and independent payment database. Target said, "The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken."
The credit card data was taken from Target's servers between November 27th and December 15th. The Krebs on Security website, which first broke the story of the Target cyber attack, says that many of those credit card numbers are now being distributed in underground online shops frequented by hackers. Target has said it plans to offer free credit monitoring to the customers that have been affected by this incident but details have not been announced.