News & Insights

Quick Guide: When Testing Systems, Don’t Use Real Data!

When more than $2 billion was withdrawn from borrowers’ accounts without their authorization as the result of a data testing error, AGs paid attention. Meghan Stoppel and Emily Yu explore why and suggest precautionary measures companies can take.

(00:23): Meghan introduces herself and podcast co-host Emily Yu.

(00:43): Meghan outlines the news story that prompted this week’s episode: a recently-announced multistate settlement between almost every single state and the District of Columbia, and payment processor ACI Worldwide. She explains that although this news story looked like it may have related to a cybersecurity breach, it was actually a data testing error that led to the unauthorized withdrawal of over $2 billion from ACI’s customers’ bank accounts.

(02:29): Emily explains that the error was due to historical issues including faulty internal data security controls at Speedpay, an ACI payment platform, that predated that business’s recent acquisition by ACI.

(03:07): Meghan further details how, rather than “dummy” data, ACI mistakenly used actual customer data from its mortgage servicer client to test updates to the Speedpay platform, causing the accidental withdrawal of mortgage payments from hundreds of thousands of bank accounts. She points to an important takeaway, that when a volume of a business’s customers interact with AG offices, this inevitably increases the scrutiny placed on that business.

(04:57): Emily digs into the details of the $10 million settlement, which pales in comparison to the $2.3 billion withdrawn from borrowers’ accounts; they speculate that the company’s responsiveness and efforts to correct the error influenced the AGs’ willingness to settle for a lower amount.

(05:21): Meghan asks about the involvement of the other state regulators in the case and Emily explains that state money transmission regulators got involved because ACI is a licensed money transmitter, and actually entered a separate settlement agreement with ACI, a further example of AGs working in tandem with other regulators and agencies.

(07:59): Emily and Meghan conclude their discussion with takeaways for businesses, to wit: when running testing, businesses should not use real customer data but instead consider deploying AI-generated or machine learning-generated data. State AGs are very attuned to the risks of data breaches and related information security and privacy issues and view these through the lens of how consumers are impacted. In this instance what was at first thought to be a data security lapse turned out to be an error, but many of the same issues were implicated and AGs took action that not only impacted the payment processor itself, but also its vendor. Therefore another important takeaway for businesses is the ensure that their vendors adhere to the same data hygiene standards as the companies themselves.

To listen to the full podcast, click here. To listen to a particular section, open the recording and use the time stamps provided above to navigate to the desired part.

To read more about the news story on which this podcast is based, click here.