Let's looks at all the layers of fail compressed into this public transit agency:
1. Their coders were stupid enough to code in a 15 year old security vulnerability.
2. Their security team didn't thank him for reporting the vulnerability, but rather went to the local po-po.
3. The PR team didn't send everybody involved to their rooms without desert. Think I'm being too hard on them? Consider:
BKK management made a fatal mistake when they brazenly boasted in a press conference about catching the hacker and declaring their systems "secure." Since then, other security flaws in BKK's system have surfaced on Twitter."Secure". You keep using that word.
It's likely that hackers world wide are even now scouring the BKK's computer systems for vulnerabilities. There's quite a good chance that it's a target rich environment. This is quite likely to end in tears for BKK.