As we've seen, many major companies have had password breaches and exposed customer's personal data.

I was trying to improve some weak passwords today and IHG and Qantas, out of almost 400 sites in my password vault, are the ONLY sites that limit me to a 4 digit numeric PIN. This is extremely out of step with currently accepted standards for data security.

Looking in my account, my profile contains: member number, email address, full name, address, phone number, birth day and month (optional but can't be removed online), if set a corporate ID to reveal your employer, if set your account numbers for partner programs.

That kind of info is most of what's needed to steal an identity or break into a user's other sensitive accounts.

I wonder if appealing to their sense of legal risk adversity would be effective. Wouldn't a data breach with so little care given to security put them in a tough position on liability?