This story is rather worrying and not only because of security issues with criminals able to reactivate old accounts, but also as to the length of time in which Netflix appear to be keeping sensitive confidential information on its previous customers.
In the UK, under the new data protection legislation, personal data should only be kept for such time as is appropriate in the circumstances for which it was obtained. The issue here is whether 10 months keeping bank details is too long for someone who has cancelled a subscription. As long as it can be justified then that is fine, but it certainly looks like a debate to be had, particularly in light of the criminal activity which has been highlighted.
Former Netflix customers who cancelled their subscription months ago have had their accounts reactivated without their consent. BBC Radio 4's You & Yours programme has learned that criminals can log in to dormant accounts and reactivate them without knowing users' bank details. The video streaming service wants it to be easy for customers to rejoin. As a result, customer data is held on the site for 10 months, including billing details.