Hmm, NDI ay? Very interesting as they do make a piece of software to act as a gateway to the PNC which is old, Windows-only and dependant on MS-SQL Server.
I have to deal with one of their competitors that supplies a similar product; also Windows-only but based on Oracle and it's an awful pile of junk that's around 15 years old and full of bugs and security holes that they refuse to accept as problems - e.g. incorrectly formed client request throws unhandled exception and crashes the server process, unsalted passwords stored in database using symmetric encryption using an easily retrievable fixed key.
Obviously the above is another company and another product but people I've spoken to seem to suggest that NDI is a similar story. Certainly they give the impression of sharing the same blasé attitude as their competitor which is that because their software was accredited years ago (by a body that no longer even exists) it somehow remains secure forever and can't be attacked anyway because it will be protected by the firewalls and other infrastructure built around it.
It does not surprise me one bit that they got pwned.