Details start on page 11.
TLDR:
"In April 23, 2021, ACI initiated more than 1.4 million erroneous ACH
Entries that were not approved by consumers. These 1,431,377 debit
entries and 1,444 credit entries transmitted electronic mortgage payment
instructions totaling over $2.3 billion to the bank accounts of 478,568
Mortgage Company’s borrowers. As a result, many of these borrowers
unknowingly had multiple debits for monthly mortgage payments
scheduled to hit their bank account on a single day
....
This incident resulted from ACI’s lack of Reasonable Security sufficient
to, among other things: (1) securely segregate Speedpay’s testing
environment (where ACI maintains databases which contain data for use in
testing and development of software before it is used in a production
environment); (2) detect and prevent the transmission of ACH test files
containing SCFI to an ACI contractor; (3) detect and prevent an ACI
contractor from improperly creating ACH test files using SCFI; and (4)
detect and prevent the transmission of those ACH files into the ACH
Network.
On or about April 23, 2021, ACI contractors conducted performance tests
on ACI’s Speedpay platform that involved simulating actual ACH Entry
processing. ACI contractors handling the testing project did not use
“dummy” consumer data (i.e., data that do not contain SCFI) or ensure that
any consumer data in the data files used for testing were scrubbed of SCFI,
contrary to ACI policy."
