[Someone1234]

I am a former customer of theirs (in the UK) and just contacted CS about this. I'm also looking into contacting the Information Commissioner's Office as this issue is still open and my personal information (and that of the people I send cards to) is still available to anyone who may want it.

I'm pretty sure them ignoring this for a year is illegal as it involves personal information which their privacy policy didn't authorise them to publish. However I'll leave it to the ICO to make that determination.

[ookware]

I've also sent customer services an email demanding an explanation and the closure of my account and deletion of personal data if true and sent an email to the ICO.

In reality I don't hold out much hope but fingers crossed we can get some pressure behind this and force companies to take security seriously, especially when the vulnerability is responsibly reported as this seems to have been originally.

[clobec]

In my other comment, I said the ICO should have been the first place this was reported rather than putting it on the net for opportunistic bad actors to dump all their customer data in pastebin.....

[DanBC]

Please do contact ICO! Regulation needs people to complain. ICO don't investigate complaints if there's been 3 month (?) delay.

[justincormack]

My guess is that the ICO wont fine them very much as it did not include full credit card numbers. However they might up it for failings in process, lots of remedial measures etc.

They might not even have PCI compliance issues alas.

The management will argue that they knew nothing, although that is becoming less of a defence now.

[iamtew]

Doesn't matter, if they're a UK based company they fall under the EU GDPR and can receive a fine of 5% of their worldwide turnover for any loss of personal data, blanked out credit card numbers or not.

http://en.wikipedia.org/wiki/General_Data_Protection_Regulat...

[peteretep]

There are more egregious examples of data protection violation here, and the fines look pretty small:

https://ico.org.uk/action-weve-taken/enforcement/

[grabeh]

A cursory read of your own link would have told you that the new Data Protection Regulation is not yet in force and so the figure you quote is incorrect.

The ICO in the UK currently has the ability to fine up to £500k as I understand it.

[richardwhiuk]

Social engineering once you have the last four digits of the credit card number and the billing address is almost certainly enough to score full credit card numbers. (e.g. use them to reset password for e.g. Amazon account).

[Natsu]

Not to mention that the first few will be in a certain range (or possibly with a certain prefix) depending on the card type. Oh, and the last one is the check digit.

SSNs are worse, though. The last four digits plus your birth date & location might just give the whole thing away.

[madaxe_again]

Do it.

I work in eCommerce, we develop a platform - and this stuff pisses me off no end, as it tarnishes the entire industry, and we'll now be dealing with jumpy clients for a month after this news hits the trade rags.