In 2009 computer hacker Albert Gonzalez plead guilty to conspiracy, wire fraud and other charges after masterminding debit and credit card breaches in 2005 that targeted companies such as T.J. Maxx, Barnes & Noble and OfficeMax. Gonzalez's group was able to decrypt encrypted data. Litan said changes have been made since then to make decrypting more difficult but "nothing is infallible."
"It's not impossible, not unprecedented (and) has been done before," she said.
Besides changing your PIN, Litan says shoppers should opt to use their signature to approve transactions instead because it is safer.
Still, she said Target did "as much as could be reasonably expected" in this case. "It's a leaky system to begin with," she said.
Credit card companies in the U.S. plan to replace magnetic strips with digital chips by the fall of 2015, a system already common in Europe and other countries that makes data theft more difficult.
Minneapolis-based Target Corp. said it is still in the early stages of investigating the breach. It has been working with the Secret Service and the Department of Justice.
Ortutay contributed from San Francisco.