It's not very damaging though. What good is `the last four digits` of a credit card? Also: Although PII was leaked, how useful is that, when previous breaches have exposed half the planet already? If I want someone's SSN to do identity theft, then I can access that very readily and easily in other breach corpuses, and they don't need to be in this breach.
It would be useful for social engineering, though I'd hazard a guess that a lot of DO customers are going to be more aware of that kind of thing. I've seen email and phone scams where the scammer gets info from a data leak and uses it to lull the target into a false sense of security before trying to extract more useful information.
"Hi, I'm calling from Bank of America about your debit card ending in XXXX. We've noticed some suspicious activity. Did you make a purchase for $200 at SomeOutlandishlyExpensiveStore? Oops, I need to verify your identity first? Can you give me your SSN?"
There you have two pieces of not-very-public information from the leak, and some bait to incite a little bit of panic, which might impede their judgement enough that they won't be too suspicious.
"Hello Joe Smith. This is amazon. We had an issue processing your card ending in 1234. Please send us and updated credit card details or we will have to close your Amazon account."
Something along those lines. Someone more creative could craft a better message.
“Who cares about PII leaks when there have been other breaches” is a weak argument.
Aside from being helpful for phishing, leaking the last 4 is enough for the issuer to pull the card, which is a major annoyance if you have other things billed to that card that will now all need to be updated.
