I couldn't help but notice that they insisted that the credit card information had been tokenized, but gave no mention of ACH information. Considering the article mentioned that the money had vanished from the victim's personal bank account, I'd suspect that they were storing bank account:routing numbers in plain text.
Which, as everyone knows, is not PCI compliant.