How can it NOT be a risk?
That is an incredible leap in logic, that just because the CVC and password do not appear to have been obtained, there is no likely fraud to take place.
It is no secret that unlike the USA and other countries, where voluntary tax reporting is considered "compliant", and in SK, "non-compliant", some number of SK's (IIUC, those older than 35 or so) have two to five alter egos/alternate IDs, just for evading taxes, among other things.
Anyone with this info now can target those victims and use enough existing facts to create alternate IDs and possibly obtain credit or loans in those people's names if collateral is not required. With so many people having the same surname, it only will take a crafty con a few days with an analytics program to match up stolen IDs to prospective buyers to minimize the risk of fraud alert detection going off.
This is just one more incident that will likely lead to biometrics at point of sale becoming the norm.
But, if these kind of snafus will probably make more people resort to carrying around wads of extra cash for a few months. It can be pretty scary for those who use love motels for purposes outside of their relationships if the data buyers/users can figure out how to access transaction histories. Blackmail could really put people into a tailspin, too.
It is just totally improper to state that the lack of the CVC and password diminishes the risk of harm to the victims. Downplaying these events is likely to lead to complacency.