TLDR:
"In April 23, 2021, ACI initiated more than 1.4 million erroneous ACH
Entries that were not approved by consumers. These 1,431,377 debit
entries and 1,444 credit entries transmitted electronic mortgage payment
instructions totaling over $2.3 billion to the bank accounts of 478,568
Mortgage Company’s borrowers. As a result, many of these borrowers
unknowingly had multiple debits for monthly mortgage payments
scheduled to hit their bank account on a single day
....
This incident resulted from ACI’s lack of Reasonable Security sufficient
to, among other things: (1) securely segregate Speedpay’s testing
environment (where ACI maintains databases which contain data for use in
testing and development of software before it is used in a production
environment); (2) detect and prevent the transmission of ACH test files
containing SCFI to an ACI contractor; (3) detect and prevent an ACI
contractor from improperly creating ACH test files using SCFI; and (4)
detect and prevent the transmission of those ACH files into the ACH
Network.
On or about April 23, 2021, ACI contractors conducted performance tests
on ACI’s Speedpay platform that involved simulating actual ACH Entry
processing. ACI contractors handling the testing project did not use
“dummy” consumer data (i.e., data that do not contain SCFI) or ensure that
any consumer data in the data files used for testing were scrubbed of SCFI,
contrary to ACI policy."
TLDR: "In April 23, 2021, ACI initiated more than 1.4 million erroneous ACH Entries that were not approved by consumers. These 1,431,377 debit entries and 1,444 credit entries transmitted electronic mortgage payment instructions totaling over $2.3 billion to the bank accounts of 478,568 Mortgage Company’s borrowers. As a result, many of these borrowers unknowingly had multiple debits for monthly mortgage payments scheduled to hit their bank account on a single day
....
This incident resulted from ACI’s lack of Reasonable Security sufficient to, among other things: (1) securely segregate Speedpay’s testing environment (where ACI maintains databases which contain data for use in testing and development of software before it is used in a production environment); (2) detect and prevent the transmission of ACH test files containing SCFI to an ACI contractor; (3) detect and prevent an ACI contractor from improperly creating ACH test files using SCFI; and (4) detect and prevent the transmission of those ACH files into the ACH Network.
On or about April 23, 2021, ACI contractors conducted performance tests on ACI’s Speedpay platform that involved simulating actual ACH Entry processing. ACI contractors handling the testing project did not use “dummy” consumer data (i.e., data that do not contain SCFI) or ensure that any consumer data in the data files used for testing were scrubbed of SCFI, contrary to ACI policy."