I was looking up an order on a stores website once, I noticed the url was just like suckywebstore.com/order?11567 . Out of curiosity I changed the last digit of the order page url (maybe like 11567 to 11566) and it then showed me the complete order for another customer, and changing the number to any other number less then showed that order's info.
That order page showed the customer address, phone #, email address, items ordered, last 4 of the CC # & date, shipping, time and date of the order.
That first thing I thought of was a scammer could call or email any customer, Say - Hi Todd, this is joe from suckystore.com and your order for the 3 dvd players and 2 cables last tuesday didn't get approved, can I get that credit card number from you again ? it was missing one number - Since you had all their order information most people would be sure it was a real call/email and would not hesitate to give you that credit card again. And because you had the customers full name & address it would be very easy to go on a shopping spree with out asking for revealing information.