It looks like the software manufacturer or the billing service provider might be financially liable for the vulnerability to be hacked.
The software was likely developed in house, so do you want to bankrupt the victim?