Why do I have the horrible, horrible feeling that you aren't entirely aware of what these people are/have been doing?

If they could carry out their "business operations" after a valid login with your existing system why would they go to all the trouble they have in order to to so?

If they couldn't carry out those "business operations" did they _ever_ request the ability to do so through proper channels and if they did how did the proper channels respond?

People simply don't go through the amount of effort required to do what they have done for no reason. I can understand if they needed to do something that your system did not easily provide them and your company would not alter things - but then you would be aware of this partner's needs. It seems to me that you aren't and therefore it further seems to me that there is no pressing reason for this activity. That being the case this is malicious, probably criminal and I would block all access to your servers until further notice.