Not excusing the bank.
http://support.worldpay.com/support/kb/bg/testandgolive/tgl5103.html
It is common to have test accounts with test cards. They don't work at the ATM and the bank never makes a physical card. There are thousands of these in the system, and the bank system will deny a real money withdrawal from these cards.
The hackers managed to activate the cards, meaning when the ATM does the check the bank servers it will say actually it is a real card, so the withdrawal proceeds. All you do then is make the hundreds of physical cards and go to town at the ATM machines.
It's not complicated at all, but they needed insiders.