The number of cyber attacks against retailers has dropped dramatically over the last few years, according to new data from IBM, but that’s no reason for security pros to celebrate. Hackers have merely changed their tactics, shifting the emphasis from quantity to quality, and their success has been disturbing.

IBM said 61 million records were stolen from retailers over the last 12 months. That’s down from 73 million a year earlier, but hauls are getting bigger. Excluding the handful of incidents that involved over 10 million records, notably the attacks against Target Corp. and Home Depot Inc., hackers got away with 43 percent more retail data in 2014 than they did the previous year.

Taken together with the fact that the average number of daily attacks recorded by IBM’s security outfit dropped more than one-quarter from 4,200 in 2013 to 3,043 last year, it’s clear that the typical breach has become more destructive.

The period that witnessed the biggest decline is the two-day shopping spree between Black Friday and Cyber Monday, which have consistently ranked as the biggest days for e-commerce. The number of breaches in that time frame plummeted 50 percent in 2014, which actually may indicate that a major breach was successful. News of attacks typically doesn’t hit the headlines until months later.

The well-publicized string of incidents that hit the headlines last year has pushed many retailers into shoring up their defenses, but cyber criminals are also getting more sophisticated. IBM found that the memory-scraping software used in the Home Depot and Target breaches has been supplanted by arbitrary command and SQL injections as the most popular means of attack, with the latter two techniques having accounted for the “vast majority” of hacks that the company recorded.

Big Blue placed blame for the deteriorating situation on the complexity of database deployments and the carelessness of security services professionals. Ironically, security pros who were surveyed in a separate study by ThreatTrack Security Inc. published in November said they’re more confident in their abilities than ever.

The survey indicates that retailers will not only have to improve their network protection but also the human dimension of security in order to adequately defend against the threats of the coming year. However, the recent revelations about the historic breach of JPMorgan Chase & Co. suggest that this is easier said than done for large organizations with sprawling infrastructure footprints often extending beyond the reach of the IT department.