ATLANTA - Target said Friday that debit-card personal identification numbers were among the financial information stolen from millions of customers who shopped at the retailer earlier this month.

The company said the stolen personal identification numbers, which customers type in to keypads to make secure transactions, were encrypted and that this strongly reduces risk to customers. In addition to the encrypted numbers, customer names, credit- and debit-card numbers, card expiration dates and the embedded code on the magnetic strip on back of the cards were stolen from about 40 million credit and debit cards used at Target between Nov. 27 and Dec. 15.

Security experts say it’s the second-largest theft of card accounts in U.S. history, surpassed only by a scam that began in 2005 involving retailer TJX Cos.

Target said it doesn’t have access to nor does it store the encryption key within its system, and the personal identification numbers can only be decrypted when it is received by the retailer’s external, independent payment processor.

“We remain confident that PIN numbers are safe and secure,” spokesman Molly Snyder said in an emailed statement Friday. “The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.” The company maintains that the “key” necessary to decrypt that data never existed within Target’s system and could not have been taken during the hack.

However, Gartner security analyst Avivah Litan said Friday that the personal identification numbers for the affected cards are not safe and people “should change them at this point.”

Minneapolis-based Target said it is still in the early stages of investigating the breach. It has been working with the Secret Service and the Department of Justice.

While Target said it had identified and resolved the issue, the compromise of its data came during the most important period of the year for retailers and with shoppers already showing reluctance to spend.

Even before the theft, Target had been struggling to increase sales and earnings. The retailer’s third-quarter profit trailed analysts’ estimates as U.S. shoppers held back and expansion into Canada dragged on earnings, sending net income down 46 percent from a year earlier.

Target shares slipped 33 cents, or 0.5 percent, to close Friday at $62.15. The shares have gained 5.6 percent this year through the close of trading Thursday, compared with a 29 percent increase in the Standard & Poor’s 500Index.

Since disclosing the breakdown last week, the second-largest U.S. discount retailer has agreed to give some shoppers free credit reporting, assured them they wouldn’t be responsible for fraudulent charges and offered a 10 percent discount on purchases last weekend.

The retailer is already facing almost two dozen lawsuits, mostly from customers accusing the company of failing to safeguard their information.

The breach occurred when a computer virus infected Target’s point-of-sale terminals, a person familiar with the matter, who asked not to be identified because the investigation is private, said last week.

Information for this article was contributed by Mae Anderson and Barbara Ortutay of The Associated Press and by Leslie Patton and Lindsey Rupp of Bloomberg News.

Business, Pages 31 on 12/28/2013