Point-of-sale systems have become a major target for cybercriminals in recent years. To pull it off, security experts said a company insider could have inserted malware into a company machine, or persuaded an unsuspecting employee to click on a malicious link that downloaded malware that gives cybercriminals a foothold into a company's point-of-sale systems.
In addition to payment systems at Barnes & Noble last year, criminals also breached Global Payment Systems, one of the biggest card transactions processors. The biggest known security compromise to date was an attack at Heartland Payment Systems, another credit card processor, in 2009. Criminals used malware to break into the company's internal network and steal data for 130 million cards.
"Why do we keep hearing about this? Because criminals go where the money is," said Michael Sutton, a vice president for research at ZScaler, a security company. "Typically, criminals will steal credit card information and then sell it. There's a very elaborate economy built around this type of crime. That's a very valuable asset that can be obtained completely through remote Internet access."
(Read more: Web sales on a billion-dollar hot streak: ComScore)
Security experts advise Target customers to scan their accounts for unauthorized transactions and change the PINs to their debit accounts.
"There's not a great deal customers can do, other than take the necessary steps, like changing passwords, credit card numbers if they have been informed of a breach," Mr. Sutton said. "Beyond that, they can take proactive steps like shopping with reputable vendors."
"Then again," he added. "Here we are talking about one of the largest retailers in the United States. No one is immune."
—By Nicole Perlroth of The New York Times