WASHINGTON, Dec. 27 (Xinhua) -- Target Corp said on Friday PIN data of its customers' debit cards have been stolen in a recent massive bank card data breach, which affected millions of customers who shopped in its U.S. stores.
Information of about 40 million credit or debit cards that have been used in most of Target's 1,797 stores from Nov. 27 to Dec. 15 have been stolen, the U.S. second largest retailer said last week after it detected the illegal action and fixed the problem.
It said the information involved in this incident included customer name, credit or debit card number, and the card's expiration date and CVV.
"Through additional forensics work we were able to confirm that strongly encrypted PIN data was removed," Target said on Friday in a statement.
But the stolen PIN data were "safe and secure," as "the PIN information was fully encrypted at the keypad, remained encrypted within our system and remained encrypted when it was removed from our systems," the statement added.
Security experts said the possibility for hackers to decrypt the PIN was quite little but the risk to break still exist, as some card-holders' PINs are easy to guess like 1234, or hackers can use phishing scam to lure card-holders to enter their card information and PINs on some fake websites.
It was the largest bank card data breach against a U.S. retailer after the TJX Cos Inc. case in 2007 in which hackers stolen data from more than 90 million bank cards over about 18 months.
Several banks have taken emergency actions to face the data breach by setting limitations on the daily withdrawal and transactions. JPMorgan Chase & Co has decided to reissue debit cards for its 2 million customers.
As the incident happened in the most important year-end shopping season, it badly affected the business of Target. Target's consumer perception scores plummeted to their lowest since 2007 after the breach, according to a survey of 15,000 people by YouGov Brand Index.
About two dozen lawsuits have been filed against Target by customers in Minnesota and California states and New York City, accusing the retailer of failing to protect their private information.