This struck me as a rather interesting with some links to other stuff.

Apparently the retail sector is concerned about organised crime involving fraudulent refunds.

The question is: are the customer data they are holding in respect of this both legal and secure?

In the case of TJMax the answer was no

Article here: