Sorry, perhaps this isn't very clear as I've tried to simplify the explanation to make it accessible to a wide audience.
What I meant here is they could tell that the corruption was being introduced by some component in their infrastructure, and they were only observing it for messages passing through one of their two active-active sites.
What now? Their datacentre was ... rewriting (presumably) encrypted packets?