The vast majority of online transactions while maybe not secure, don't result in fraud. The cyberthieves almost always go after the low hanging fruit. While it is exceedingly difficult if not impossible to fully secure any system and still make it useable, the implementation of best practices DETER most crims. Hacking a very secure system occurs, but is rare. A good analogy would be comparing stats of basement apartment window smashing burglaries to "Pink Panther" style expert heists. The experts don't usually bother with ground floor apartments, their targets are worth the difficulty. There are 10,000 smash and grabs for every well planned Mission Impossible type offence.
For the cybercrims, in many ways its even easier, because they can knock on ten thousand doors a day to find the one that is unlocked. The risk of being reported for suspicious activity by neighbours is not even a factor, and they don't get hungry from walking around.
Most of the large data breaches we hear about are a result of complete indifference to security. The recent Ashley Madison "hack" was in all probability not a hack at all, but an insider with acess making it look like a hack because if an insider is involved, there will be a short list of suspects to investigate.
Insider data theft is greatly under reported. It is far easier to point the finger at Evil Hax0rz, because the company knows that the public will accept a "what can you do, it happens" attitude. It also limits the company's liability, and the outrage they will face from pissed off consumers. This coupled with the fact that many police agencys lack the training to properly investigate cybercrime, makes insider theft a relativly safe option.
Most cybercrims WONT wait a year to release or sell their stolen CC info. The spin that these hyper clever Hax0rz are cunning enough to do this is almost laughable. Credit cards have expirey dates. The longer you wait, the less of your stolen numbers will work. More of them may be cancelled because people switch banks and cards, other fraud etc.
Releasing in batches, is still going to result in being able to track the common point of origen, and the more stale a number, the less it is worth on the secondary market for the "end user" crims. Like any other thieves, cybercrims want to get the money as fast as possible. That is why they are fucking crims.
To be hit twice is shocking. Is a vape shop they type of target a "Master Evil Hax0r" would waste his time with? Its quite a ways further down the trough from Sony, or Target. Not proactivly disclosing a breach definatly makes a target more appealing, but what hacker would safely assume that their target had learned nothin from the first time?
If a company suffers a data breach, is open about it, and hardens their systems to the point they are not an attractive target anymore, it is unlikely there is any inside fuckery. But if they keep mum and hope nobody notices, and play the victim without owning their complacency, it bears a second look. If it is an ongoing occurence, and they still have not learned that proactivly disclosing that their customers may have had their information compromised, I would consider them highly suspect.
As consumers, we are partly responsible for this problem as well. We need to begin holding these companies accountable. If a company experiences no inpact in their bottom line for unethical behaviour, why WOULD they ever change?