The article says that they say it only affected customers that check out as a “guest”. Presumably most customers use an account when making a purchase.

That said I saw the people reporting it initially saying you didn’t even need to submit the form to be affected so I don’t know how they can tell how many customers were affected.

What I understand is this is a breach of a single store database not the whole business. In the first paragraph they talk about customers being mad for cancelling their cards and learning just later that they were not affected by the breach.

I believe it only affected people who ordered online in a certain time frame (like a month).

They get a lot of retail business too I think. They have lots of retail stores all over the country, they are not online-only. To be honest I usually don’t even think of buying online from them, when I need something I just go there in person, it’s faster (granted I’m lucky enough to have one nearby).