After admitting yesterday that some encrypted data had been pulled by the hack potentially affecting 40 million customers, Target has gone on to further confirm that the encrypted data stolen does in fact include PIN information. Whether or not the hackers will be able to extract the PINs from this data, though, remains to be seen.
Target is currently attempting to assure customers that though the hackers may have the encrypted form of the PIN data, the digital keys to their bank accounts are still perfectly safe:
The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.
When a guest uses a debit card in our stores and enters a PIN, the PIN is encrypted at the keypad with what is known as Triple DES. Triple DES encryption is a highly secure encryption standard used broadly throughout the U.S.
With this form of encryption, Target's own system would not give the hackers access to the encryption key—only the external payment processor has access to that kind of information. However, with the level of technological sophistication it would take to pull of a heist like this, it's entirely possible that the hackers would have the means of overcoming this little hiccup.
Still, at least as far as Target is concerned, it seems customers' PINs are safe for now. Though we highly recommend keeping a very, very close eye on your bank account if you shopped at a US Target store between the dates of November 27 and December 15. [Target]