Digital bank Monzo urges customers to change PINs following security breach

Monzo, a UK-based mobile-only bank, has notified a subset of its users that their PINs have been inadvertently leaked into internal log files and were accessible to some of the company’s engineers.

“No information’s been exposed outside Monzo, and this data hasn’t been used for fraud,” the company claims, but nevertheless urged affected users to change their PINs as a precaution, to monitor their accounts for fraudulent transactions, and to update their mobile applications.

What happened?

“As your bank, we keep a record of your PIN so we can check you’ve entered it correctly. We store them in a particularly secure part of our systems, and tightly control who at Monzo can access them,” the company explained.

“On Friday 2nd August, we discovered that we’d also been recording some people’s PINs in a different part of our internal systems (in encrypted log files). Engineers at Monzo have access to these log files as part of their job.”

Apparently, the leaking of PINs into internal logs has been happening for the last six months.

The source of the problem was a bug in the mobile apps, which was triggered if the user used one of two features: the “Remind me of my card number” and the “Cancel a standing order” options. Some users claimed that they used none of these features and still received the notification email, but a Mondo employee said that they are sure that these are the only two features affected, and posited that the users forgot they used them in the last six months.

Monzo said that the issue affected less than a fifth of UK Monzo customers, which amounts to a tad less than half a million users. They have been advised to change their PIN via a nearby cash machine (ATM).

The company says they’ve deleted the leaked PINs and made changes to the Monzo mobile apps to prevent this from happening again, and that they’ve informed the UK Information Commissioner’s Office (ICO), the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) of the incident.

While grateful for the heads up, many users are complaining about having to go through the trouble of changing the PIN because of something that it’s ultimately not their fault. Also, some have complained about being notified of this incident via email and not through an in-app notification, because they assumed the email to be a scam/phishing attempt.

The Monzo employee reassured affected users that even if someone had their PIN, they would have to steal their Monzo card, get access to their unlocked phone, or have access to their email account to log into the app in order to take advantage of it.

“It’s very unlikely that you’ll experience any fraud because of this issue. But if you do, Monzo will cover that loss (unless our investigation finds that you made the transactions or failed to protect your information, which is always the case when we investigate report of fraud),” she added.