fundamental security problems

"we spotted this situation through the thoroughness of our own security and checking systems"

Hmm. From reading the press release on Newcastle City Council's website it sounds to me like their online payments system was configured incorrectly.

They appear to use RadiusICON. According to the literature for this product:

"On-line authorisation of the payment is key to the Local Authority, as it guarantees payment ... The call to the acquiring Bank or merchant service provider is via an ISDN line ... In the case of RadiusICON, a separate secure card server makes this connection and stores the card transactions. On successful completion of the payment, a record is also written to the RadiusICON database."

http://www.radiusplc.co.uk/sitemain/computer_services/literature/lt_radiusicon.htm

I would suspect that they erroneously put the "secure card server" in their DMZ and allowed public access to it. Or perhaps, to save cost, they ran the card server and the web server on the same box.

A question to ask is why they are storing credit card information at all. All they need to store is whether the payment was successful or not.

In any case, it implies that they failed to properly consider the security when setting the system up. A serious failing indeed, I am not at all reassured by their claims that their systems are now "properly robust".