Back before PCI DSS we used to store everything we got during the booking process. And that include FOP (Form Of payment, CA cash, CC Credit Card, CH Checks, government card have another code etc...), FOID (Form of Identification - often Passport number nowadays but used to be FF card and CC card) confidential remarks (financial data) non confidential remarks (address, tel numbers, etc... And for a web based system , yes the IP you used). Everything you have directly or indirectly was saved i the PNR. And when CAPS 2 came up yes all that was sent indiscriminately to the US government , privacy be damned. Only recently when PCI DSS came up the airline started to blank our new PNR , but in some case for interline you may need to still send the CC (Can't recall which interline ticketing scenario - not refund as interline refund is not allowed by any airline i know of - maybe exchange to keep old FOP and new FOP in synch). Old PNR were never really corrected, especially all that was sent to the US government.
Bottom line : that's sadly a non story.