The fraud likely involved gas pump "skimming," where hackers capture the data from a magnetic strip when it's pulled through a reader, then use that data to reproduce illegal copies. The practice has been long used to rip off consumers at bank ATMs.
"Some lawyer probably read through the California notification law and/or the PCI standard, and decided that the breach wasn't subject to either," said Litan. "I think Sam's got away with not disclosing details of the fraud."
Nor will next year be a landmark one for data security. "I'm not optimistic," she admitted. "Security spending will continue to increase, but for many companies, the only motivation will be to keep themselves out of the media."