This story is rather worrying and not only because of security issues with criminals able to reactivate old accounts, but also as to the length of time in which Netflix appear to be keeping sensitive confidential information on its previous customers. 

In the UK, under the new data protection legislation, personal data should only be kept for such time as is appropriate in the circumstances for which it was obtained. The issue here is whether 10 months keeping bank details is too long for someone who has cancelled a subscription. As long as it can be justified then that is fine, but it certainly looks like a debate to be had, particularly in light of the criminal activity which has been highlighted.