The structure and scripting of that web site is too poor to be designed, it's just sloppy, and that's a poor designer.
No user validation, no encryption to protect identities and personal details, it's no wonder the site has been compromised. What is amazing is how long it took to discover the vulnerabilities. There is even a SQL injection vulnerability, but I will say nothing more of that. What is very clear to me is that CRT need a new IT professional, hence the deletion of my account.
I think sometimes it's okay to be a bit cynical ...there was just something about the mooring prices that set alarm bells ringing.