If this article is correct it is disturbing in that they seem to have no solid and tested disaster recovery process (DR).
They don't appear to know about how to reimage computers quickly to put them back in action (also part of a tested and documented DR process).
They don't seem to know process of how to deal with these kinds of threats properly. And still let the virus reside on the system even though they do not know what it does and including the fact that the feed that they use is not always encrypted?
I will save the best for last; it makes no sense to use Windows systems (no matter what a contractor says )for this kind of work when there are very good Unix and Linux systems that can be built from scratch including of course good security behaviour you want built into the kernel.
Unreal. I hope the article is an exaggeration.