Their self-checkouts run MS-Windows 7. That's just one step up from Vista. Their payment terminals run ancient OpenSSL versions. Their website until recently blocked searches for products whenever a substring matched a generic catch-all SQL injection blacklist.

And their in-store discounts require you to have an Android or Apple device and install their proprietary app on it from Google Play or iTunes, and sign up for an account using your e-mail address and personal cellphone number (landlines and non-geographical numbers are disallowed). It also collects your data and sends it to Google and Facebook.

This is the worst IT of any store I've seen.

A POS device at a Target store was used to exploit systems in a completely different part of the Target infrastructure to allow CC details to be dumped. I think most supermarkets have lacklustre security.