How was customer payment information NOT disclosed?! It is on Google!! The URLs should be protected by authentication! It should be impossible for Google or anyone else to access it without a login. It does not matter that some customers shared it on social sites. Saying there is no problem if the social sharing doesn't occur is security through obscurity.
I've been through this before. Online receipts identified with long, random URLs. Users posting them online with no regard for security. Requiring a login for purchase was deemed infeasible since it adds friction to the checkout process. The only thing keeping the online receipt from google was robots.txt.
