That’s a little over the top, eh? They disclosed within 4 days of discovery and implemented better security controls all over. They are probably the only major retailer with chip and pin payments in the US, for example.

If you think they were unique or egregious in terms of 3rd party access to networks, i am afraid that you will find reality disappointing.

I will say I was pleasantly surprised to discover that their store credit card comes without a magstripe on the back

Should that same existential penalty be applied to every company who had Log4J running in prod a few months back? That was a much more widespread root compromise...

Not comparable. Log4j was a vulnerability in the software, not leaving their shit open and and putting all their cash registers on an intranet available to the internet.

https://krebsonsecurity.com/2015/09/inside-target-corp-days-...

Vulnerability != Compromise