In this case, the guess is a pretty good one due to the e-commerce software they use. It's probably one of the hardest hit e-commerce solutions in existence and unless you bring your A-Game to the table when it's decided to use that software, will quickly bite you in the hind end.
That may be true but the frequency and number of attacks, over the last 4 years, and there responses suggest they either don't care or were in on it.
The pattern is pretty clear.
They knew this was happening.
They have known for years.
They barely addressed it publicly and obviously didn't secure there end after the first few thefts.
Same type of fraudulent charges suggest its the same thief.
Just my opinion.