Monzo has contacted 500,000 customers following a data breach which saw customer PINs accessible to employees of the digital bank for more than a year.
The incident, which may constitute a breach of the EU’s General Data Protection Regulation (GDPR) breach, has prompted Monzo to advise them to change their PINs.
On August 2, Monzo discovered that nearly a quarter of all of its UK customers PINs weren’t being securely stored. The PINs were stored in encrypted log files which could theoretically be accessed by 110 Monzo engineers. Nobody outside of Monzo could access the PINs at any point, so customers are at low risk of having their accounts accessed by unauthorised individuals.
Monzo engineers released an update to the app a day after the breach was discovered and by Monday Monzo had deleted the incorrectly stored data.
Affected customers were sent an email advising them to amend their PIN. All customers were urged to update to the latest version of the app.
In a corporate blog post, Monzo said: “We’ve checked all the accounts that have been affected by this bug thoroughly, and confirmed the information hasn’t been used to commit fraud. Just in case, we’ve messaged everyone that’s been affected to let them know they should change their PIN by going to a cash machine.”
It went on to apologise saying: “If you think you see anything unusual on your account, please get in touch with us straight away through in-app chat or by ringing the phone number on your debit card. If we haven’t emailed you, you haven’t been affected. But you should still update your app to the latest version. We’re really sorry about this. Please get in touch with us if you have any questions or concerns.”
If Monzo is found to have breached GDPR, it faces a heavy financial penalty, up to €20m or 4% of annual global revenue for the previous year – whichever figure is higher. As the incident occurred in the United Kingdom it will be thoroughly investigated by the Information Commissioner’s Office (ICO). However, the incident was reported to ICO within the required 72-hour time period following the identification of the data breach.
This breach is unfortunate timing for Monzo, which has recently been planning to expand its operation into the United States. The reputational damage associated with such an incident could hinder its progress in breaking into the new market.