[aparadja]

Become the evil employee? ;)

Seriously though, I encountered a similar situation in a previous job. It was a media company instead of a bank, so the stakes were not as high. Still, they had user emails and plaintext passwords in the database. I warned the other developers and my manager about it, but they all dismissed the fix as a low priority task.

I spent some time digging through the web app's source code, and found an SQL injection bug. I then demonstrated the exploit to the whole team at a meeting. My next task was to implement the fix.

Your coworkers' attitude gives me the impression that finding an exploitable security hole isn't an enormous task. Sure, a live exploitation demo is a gimmicky internal marketing tactic, but it might work.