1. fix bug, run through the data again

or

2. get a bunch of low level analysts or interns to review all past transactions

3. Executive: "Hey, Charlie, you think that bug missed anything?" Manager: "None that I'm aware of."

yep, just 10 years of financial data. I'm sure they could replay that easily lol

Maybe they called all their "fishy" friends to confirm they caught all their bad stuff?

More seriously, the background seems to be that DB has poor controls overall, so likely this tagger was simply combined with something too permissive and the error ends up not mattering very much.

Giving that I've already been approached by gov officials to create an accounting software that helps with creative book keeping, I say don't assume incompetence on this one.

'Also, wonder how they're verifying "The bank maintained that no suspicious transactions had slipped through as a result."'

I have no inside information, but I will observe there's a well-traveled road where organizations end up loudly announcing they couldn't find any exploitation of a given bug, or that it was limited to scope X, only to later announce that, oh, whoops, they found some, or that the scope was larger than they thought.

Sometimes I find it easy to believe it's honest, like an ongoing security incident for a relatively transparent organization where the news is only hours old. Sometimes... I find it quite easy to believe it's not honest. I don't have enough info to decide in this particular case but it wouldn't shock my priors for it to be the latter here.

Rerun a new release over the mutation log that it previously watched :)

They should do some back testing to verify the validity of the updated software. This would uncover past fraudulent activity and possibly any new bugs introduced by the fix.