Monzo squirms again after gaffe exposes pin numbers

The take-up of open banking has been slow at best but digital challenger Monzo may just have put it back even further after urging nearly 480,000 customers to change their pin numbers following an admission it had left sensitive information exposed to scores of unauthorised staff for over six months.
The bank, which is now valued at £2bn, claims pin numbers were usually stored in a secure part of its internal system where it could tightly control staff access. But the bank has now discovered that pins were also being copied on to log files, that while encrypted, could be accessed by about 110 unauthorised engineers.
Monzo has now self-reported the incident to the Information Commissioner’s Office.
It has been claimed that 480,000 UK accounts, equivalent of one in five of the bank’s 2.6 million customers, have been affected.
Monzo has now upgraded its systems and claims that no one outside the bank had access to the data. It also insists it had found no evidence which suggests the information has been misused.
In a blog post, the bank said: “We’ve checked all the accounts that have been affected by this bug thoroughly, and confirmed the information hasn’t been used to commit fraud. Just in case, we’ve messaged everyone that’s been affected to let them know they should change their pin by going to a cash machine.”
The bank has also emailed customers, apologising for having mismanaged their sensitive information.
However, it is not the first time the company has been caught up in data governance issues. Last July, Monzo reported that nearly 20,000 customers had personal data exposed following a hack attack on a Spanish survey company, which also worked for Apple, Airbnb, Uber, Nike and Fortnum & Mason.
Some 19,213 email addresses had been exposed, while other data – including postcode and name of previous bank and Twitter username – was put in jeopardy. Hundreds of customers also had details of their salaries, employment and university compromised.