There seems to be an easy fix to this. Document a bunch of the events using the information from the system. Include the specific transaction numbers, amounts, times, person, etc. Make it clear that its all from their own system.
Submit that information anonymously. It will both alert them to the theft with enough detail that it should get them to act. It will also simultaneously alert them to the weakness in their system without indicating that it was you. Could fix to problems at once.
ETA: Ah, I see that it turned out nicely! Great!