Along the lines of what Jeff suggested, maybe you can implement your fix and publish it as a "fix" to a security hole in their api? At the very least, you should communicate your findings to your business and get their input on the matter. I would imagine if you show them tables can be dropped, they will dedicate resources to fix the problem.

Please note, I am not a lawyer so please investigate possible ramifications before publishing security holes. You could start at: https://www.eff.org/issues/coders/vulnerability-reporting-faq