Just what......

....was this guy to do? He had reported it to his managers they did not want to know, he reported it to the company they did not want to know so what's the next step? Go public! As he said his info is on those servers so he will be affected by this lack of security but he was in a position to do something and try to get it corrected.

I suppose he could have gone to the credit card companies but would that have gone anyware? Probably not. In my experience the card companies are only interested in making sure they do not have to pay out for any attack on the system, it's a blame culture thing. They are only interested in shifting the blame and therefore the cost away from themselves not in the security breach itself. He was in a no win situation, but should be supported by the law in what he has done not penalised by it.