But it illustrates once again how vulnerable such systems are to attack.
Anup Ghosh, founder and CEO of Invincea, a developer of browser protection systems, says too much of the security industry is still stuck in the 1990s. "Those protections," he says, "are very easy to circumvent today. Most systems are about telling you what happened after the fact."
Ghosh says the card data was probably encrypted, in compliance with the Payment Card Industry Data Security Standard.
"But compliance as a way of regulating security is equal to complacency," he says, noting that the weak link today is not necessarily the technology, but "Layer 8," the human layer.
"If I target employees, which is how you target these days, it is not very hard in phishing campaigns, to get employees to open an email or click on a link, which then provides access to their desktop and the privileges that come with it," he says. And in that case, "Encryption is worthless."
Ghosh says the way to deal with modern attacks is to, "stop depending on employees to make the right decisions.
"We say put the employee in a bubble -- a safe, virtual environment. Then, when they're clicking on those links, they don't give away keys to the kingdom. They just corrupt a virtual environment, which actually produces intelligence for you. What you get is pre-breach forensics."
Given the present reality, however, Julian says retailers affected by the recent breach have to move quickly to comply with PCI DSS standards, to "notify consumers and brands in a timely fashion. Forty-six states have laws on the books to notify consumers if credit card information was put in harm's way. So they're scrambling to find out if they were compromised, and then they have to adapt it to the state matrix."
In an assessment model he created, Julian's list of "minimum recommended actions" includes notifying one trade organization, five state attorneys general, and 900,000 consumers in nine states, telling the credit agency of 600,000 exposures in six states, notifying local media in two states, providing other general notification and notifying five special offices in three states.
Merchants can minimize or even eliminate those fines by complying with the laws, he says, but if they don't, "they can really add up. In the (2005) ChoicePoint breach, $15 million of their $41 million in costs were from fines. And with the changes in the law since then, the fines would be much more today.
For consumers, Krebs says it doesn't make sense to demand a new card, but simply to monitor their card activity online for any suspicious transactions.