While I'm excoriating these retailers' security practices (or lack of same), I can't leave out Target's "message to our guests," because it demonstrates complete obliviousness regarding security issues. After several days of reminding my company's users (and my family and friends) to watch out for the scam emails that would surely follow the Target breach, Target's knucklehead CEO sent out an email with all the hallmarks of those scams — the appearance was the same, it was not personalized (it started, "Dear Target Guest"), and the email account used to send the message (the "From" address) was not target.com, but the mysterious bfi0.com. How is anybody supposed to tell this real message from the plethora of fakes?
Why am I being so hard on the "victims" (by which I mean the breached retailers)? Partly because I think they should have done more to prevent these breaches before they happened. But it's also because I'm frightened by the scale and specificity of these attacks — they were focused on specific retailers, during a specific period of time (the holidays), and targeted the POS terminals. This was a big op, run by professionals who know what they are doing. And I fear the day when attackers like them turn their attention to me.