It's never anything simple, like plain incompetence or not following "best practices". In this case we're told it was "highly sophisticated malware".
Yeah, sure, because a store that sells low cost craft supplies like Michaels does is undoubtedly a "high value" target worthy of only the most advanced malware ever written.
You don't have to be a high value target to be a target, you just have to be online, vulnerable, and have something worth taking. Most companies fall under that umbrella. Likewise, highly sophisticated malware doesn't mean that someone wrote the most advanced malware ever, just that Michaels was protected yet still vulnerable in some way. All it took was finding out how, and that's not easy either. Heartbleed is dead simple, but still took years to discover, for example.
Information security is hard. You have to be right 100% of the time, while the attackers only have to be right once. Best practices and competence will only get you so far. If someone wants to get in and you were only 99% right, they WILL get in. Its just a matter of time.
Yeah, sure, because a store that sells low cost craft supplies like Michaels does is undoubtedly a "high value" target worthy of only the most advanced malware ever written.