The question of interest should be (If I'm involved in CS'ing) is how did they get my card details, to be able to then ID the account and de-activate it?
If you are do CS'ing - say it's a small completely private network, with no reshares, etc. multiple C Lines for multi house boxes, not running off Sly internet - what's the chance of being deactivated? Almost zero - anyone that fits this (& I think there is only 1 so far) is a fluke from Sly's perspective. As are non CS folk with cards in the original STBs. It's all about data profiles - what profile do you fit, ring up 'cos entitlements have run out? Card never talks back? Only card on the sub? etc. It's no different to a Credit Scoring agency scoring Joe Bloggs and a lender saying no. In that case you can see the basic data the agency hold - but the lender will not divulge the scoring methods\algorithm.
In this case Sly hold the data and the scoring algorithm - do you think they'll tell you anything?
If however your F lines allow reshare, etc. what did you think was going to happen? Given an IP address - I could potentially knock on your front door & no that's isn't the stuff of Hollywood films. Whereas NDS don't require you're address.
I think it's entirely plausible to have a card cough up it's CAM id - if the ECM could be appropriately constructed. Whilst a lot of NDS knowledge does exist outside NDS - it's nothing compared to the internal knowledge and whilst the proof doesn't exist, my knowledge of related stuff lends to a hypothesis that once NDS have a C Line (i.e. an IP Address, user name, password & port Nbr) - it's entirely plausible and probable that a specially constructed ECM could easily provide CAMid and other info. After all when a card is first paired - do you think the box is told to pair with a specific card, or is the card told to pair with a specific box. If it's the latter - surely the card holds this pairing info. Does the card not also hold it's own ID? Why can't this be retrieved? Do the data packets not have space\redundancy?
Hand your server details out especially with reshares and we all know PayServers do "pimp" out folks shares (without them knowing about it) - this sort of thing will happen.