Buckle says it "promptly" took steps to investigate and scrub the malware (which didn't touch its online store), but it's not clear how many customers could have been affected or who's behind the breach. If the attackers wanted, though, they could have used the info to duplicate cards and go on shopping sprees.

The incident is a reminder of the ongoing problems with magnetic card security at American stores, some of which aren't the fault of the retailers. It's clearly a problem that Buckle didn't catch the malware for months, and that we're only hearing about the breach two months after Buckle resolved it. However, there's only so much that shops can do to mitigate the damage from these thefts. Some American banks still haven't issued chip-based cards, and you aren't obliged to replace an existing stripe-only card until it expires. It may take years before chips dominate American shopping the way they do in other countries, and that makes it all too tempting to hijack their point-of-sale systems in the meantime.