Ghosh says the card data was probably encrypted, in compliance with the Payment Card Industry Data Security Standard.

"But compliance as a way of regulating security is equal to complacency," he says, noting that the weak link today is not necessarily the technology, but "Layer 8," the human layer.

"If I target employees, which is how you target these days, it is not very hard in phishing campaigns, to get employees to open an email or click on a link, which then provides access to their desktop and the privileges that come with it," he says. And in that case, "Encryption is worthless."

Ghosh says the way to deal with modern attacks is to, "stop depending on employees to make the right decisions.

"We say put the employee in a bubble -- a safe, virtual environment. Then, when they're clicking on those links, they don't give away keys to the kingdom. They just corrupt a virtual environment, which actually produces intelligence for you. What you get is pre-breach forensics."