Previous comment mentions using an anonymous drop to inform the relevant companies or newspapers. That is the most immediate solution, I would have to agree.
But I also wonder if anything would have been said or done about this vulnerability if there hadn't been a name or identity to target and make an example of?
(Example being, "don't get smart with us".)
I am starting to think that what you say is the best solution. If you find a system if vulnerable, perhaps it's best to withdraw your funds, close your account, deny all services, and stop doing business with the vulnerable. In this case, time to stop refreshing your name in their database and start buying your transit cards or tokens in person using cash. Cancel the card you used with them or report it stolen to get the card number associated with your account regenerated. Leaving something behind (address, phone number, mother's maiden name)? Make sure to change (scramble) your "account details" before jumping ship.
What good is being done any more by free-lance white-hatting or the old vanguard of "let the company know and when you get the inevitable silent treatment, tell the public"? It's being treated like "vigilantism" even though no real victimization is being perpetrated. It's only against the law because of either idiotic legislators or weird "new world order" style agendas.
Consider a company which would press charges against you for revealing their own vulnerability to them or for forcing the vulnerability into the open to get it fixed. We can easily say that's a company being run ignorantly. Consider a police department that would agree to handle those charges and throw you in the slammer in agreement with some lame law. Consider the obtuse lawmakers who gavel'd that idiot law into being. Consider the largely computer-illiterate -- nay, computer-superstitious -- population that regularly produces all of these idiots. Take all of that into consideration for a moment and ask:
Whom are you going to save, from what, for the benefit of whom, on behalf of whom, as an upstanding citizen of what exactly, and with what as your reward?
You're going to protect a moron company from "criminals", for the benefit of that moronic company lording it over a moronic population manhandled by a moronic police department, on behalf of said moronic police department (in their stead, on their behalf, same thing), as an upstanding citizen of a moronic state featuring a moronic population its moronic legislature passing moronic laws and the moronic police department that enforces those laws, and you're going to be branded a "criminal" and thrown in prison with a bunch of morons as a result.
So, maybe re-think the whole old-school, "for the betterment of civilization" style of white-hatting at all, for anybody, whatsoever. Whether you protect your identity, get thrown in jail, or get heard out and get to see your suggestions taken seriously and resulting in a more secure website, the people you are trying to "help" obviously:
(1) don't need it
(2) don't or can't truly appreciate it
(3) don't deserve it
Pick any combination of the 3, even having one of those 3 present in the relationship calls for an end to the relationship.
If they can't pay -- money, attention, time -- for real competent and intact security, let them get run over. Stop trying to "help". It's probably only contributing to the dumbing down of society, any way.