""It wasn't encrypted, nor are you legally required to encrypt it," she told the newspaper. "We have complied with all of our legal obligations in terms of storing of financial information.""
Let's see what the Data Protection Registrar has to say about that!
"But the company did reveal that some credit card information had been snatched."
If they in anyway stored the 3 digits from the back of the card then they broke PCI-DSS rules - which are a legally binding contract.