[justincormack]

My guess is that the ICO wont fine them very much as it did not include full credit card numbers. However they might up it for failings in process, lots of remedial measures etc.

They might not even have PCI compliance issues alas.

The management will argue that they knew nothing, although that is becoming less of a defence now.

[iamtew]

Doesn't matter, if they're a UK based company they fall under the EU GDPR and can receive a fine of 5% of their worldwide turnover for any loss of personal data, blanked out credit card numbers or not.

http://en.wikipedia.org/wiki/General_Data_Protection_Regulat...

[peteretep]

There are more egregious examples of data protection violation here, and the fines look pretty small:

https://ico.org.uk/action-weve-taken/enforcement/

[grabeh]

A cursory read of your own link would have told you that the new Data Protection Regulation is not yet in force and so the figure you quote is incorrect.

The ICO in the UK currently has the ability to fine up to £500k as I understand it.

[richardwhiuk]

Social engineering once you have the last four digits of the credit card number and the billing address is almost certainly enough to score full credit card numbers. (e.g. use them to reset password for e.g. Amazon account).

[Natsu]

Not to mention that the first few will be in a certain range (or possibly with a certain prefix) depending on the card type. Oh, and the last one is the check digit.

SSNs are worse, though. The last four digits plus your birth date & location might just give the whole thing away.