Big credit and debit card retailer breaches keep on coming,making 2014 – by any yardstick – the year of the massive breach.

Which are the largest?

First, understand this: More huge breaches may already haveoccurred but have not yet been divulged. Randal Cox, CSO at fraudanalytics firm Rippleshot, insisted in a CU Times interview that heknew of three big breaches that have not yet been announced.

How does he know?

Rippleshot, using big data analytics, tracks reported fraudulentuses of cards back to common points of compromise. The technique issimilar to what proactive credit unions do when a breach isreported; they try to get an early jump on which member cards wereused at a Target, for example.

With Rippleshot, the difference is the massive dataset, andinstead of working from reports of possible breaches, the companyseeks to find breaches before they are reported.

What has happened that allows these breaches? As far as theretailer breaches go, security experts heaped scorn on the systemsthat are in place.

Adam Kujawa, head of Malware Intelligence at Malwarebytes Labs,said, “There just was poor security at companies like Target andHome Depot. They simply did not see these kinds of attackscoming.”

“The incidents of the last year point out the flaws in oursecurity mindset. We need to take this more seriously,” headded. “We need an entire reboot in terms of our thinking aboutinformation security.”

As for JPMorgan Chase, if the reports are right that the hackersmade off with very limited information, much of it available inpublic records. Kujawa said that this might show that the banksuccessfully secured the sensitive data that mattered, andapparently kept some data in a more readily accessedcompartment.

“This isn't 15-year-olds who are hacking,” Sharon Vardi, CMO ofSecuronix said. “These are highly skilled, well fundedprofessionals who are good at their work.”

Security responses have to be just as professional, because thecriminals are only getting smarter and more persistent, hesaid.

“Breaches aren't going away,” Vardi said. “They in fact justseem to be getting bigger.”

For now, anyway, are the 10 worst breach offenders thisyear.

P.F. Chang'sThe restaurant operator said in June that some customer credit anddebit card information had been compromised at 33 restaurants,dating back to October 2013. Full details still have not yetbeen revealed. In at least some restaurants, P.F. Chang ceasedelectronic processing of cards and reverted to using so-called“knuckle busters,” mechanical card presses.

Sally BeautySupply. In March, the Texas-based beauty chain said it hadbeen hacked by the same gang that hacked Target. In a statement,the company said, “We have now discovered evidence that fewer than25,000 records containing card-present (track 2) payment card datahave been illegally accessed on our systems.”

ACME Markets.Details about this breach, reported in late September, are sketchy.But Albertsons, the big food retailer that owns this regional,mid-Atlantic grocer, said that it discovered malicious softwareinstalled on networks that processed credit and debit cards at someof its stores. That software was believed to have been in place foraround a month before discovery. Albertsons, in its statements,said it didn't believe any customer data was stolen.

Michaels Stores. About 3 million customer debit and credit cards wereacknowledged stolen by this crafts chain and a subsidiary, AaronBrothers. In a statement, the company said, “After weeks ofanalysis, (Michaels stores and its subsidiary, Aaron Brothers),were attacked by criminals using highly sophisticated malware thathad not been encountered previously by either of the securityfirms” the company had retained to analyze what had gone wrong.

GoodwillIndustries. The national, charitable resale organizationannounced in early September that card information at approximately330 stores had been compromised. Some 868,000 payment cards weresaid to be involved in this breach, which occurred somewherebetween Feb. 10, 2014 and Aug. 10, 2014.

JimmyJohn's. In September, the national sandwich shop disclosedthat credit and debit card information collected at 216 locationsacross the nation had been breached. The company explained theincident this way: “An intruder stole log-in credentials from JimmyJohn's point-of-sale vendor and used these stolen credentials toremotely access the point-of-sale systems at some corporate andfranchised locations between June 16, 2014 and Sept. 5, 2014.”

NeimanMarcus. A big, ugly breach at the luxury retailerapparently involved some 1.1 million card records. The company, ina statement, said, “We do know, and our forensic reports haveconfirmed, that malicious software (malware) was clandestinelyinstalled on our system and that it attempted to collect or'scrape' payment card data from July 16, 2013 to Oct. 30,2013.”

After investigation, Neiman Marcus, by its count, said that thenumber of cards involved was smaller, in the vicinity of 350,000.The company also offered a number that is rarely disclosed: Thecount of cards that are known to have been used fraudulently. Thatnumber was 9,200, in a June statement signed by CEO Karen Katz.

The HomeDepot.About 56 million card records were hacked in this attack that issaid to revolve around malware that was installed on cash registersystems.

TargetCorporation. Around 70 million holiday shoppers had theircard data compromised late last year in the breach at Target, the incident that kicked off the current wave of bigbreaches. In the aftermath, the CEO was fired, and breachesbecame a topic of continuing conversation among financial servicesexecutives.

JPMorganChase. The numbers just keep getting bigger regarding thesummer breach at the trillion dollar bank. The New York Times reported that 76 millionhouseholds and 7 million small businesses were involved. Exactlywhat the hackers made off with is not clear. Some reports suggeststhat credit and debit card information was not involved, that thehackers instead stole personal data such as addresses and phonenumbers. More details will emerge shortly, and either way, this islooming as the biggest breach ever. And it occurred at aninstitution that was widely regarded to have exemplary securitycontrols in place.