Jim Alkove, general manager of Microsoft's security of interactive entertainment business, responded to Joystiq today, offering the following statement:
We are conducting a thorough investigation into the researchers' claims. We have requested information that will allow us to investigate the console in question and have still not received the information needed to replicate the researchers' claims.
Xbox is not designed to store credit card data locally on the console, and as such seems unlikely credit card data was recovered by the method described. Additionally, when Microsoft refurbishes used consoles we have processes in place to wipe the local hard drives of any other user data. We can assure Xbox owners we take the privacy and security of their personal data very seriously.
In summary, Microsoft is looking into the claim, and suggests it's not possible to strip previous users' credit card data from a refurbished console. But best to hold onto that old Xbox 360 for now, until this whole thing is figured out.