Digital bank says ‘bug’ meant unauthorised staff had access to numbers for six months

This article is more than 1 year old

This article is more than 1 year old

The digital bank Monzo has urged nearly 480,000 customers to change their pins after it left banking information exposed to unauthorised staff for six months.

The bank, which is now valued at £2bn, said it usually stored pin records in a “particularly secure” part of its internal system where it could tightly control which staff members could access them. But on Friday, the bank discovered that pins were also being copied on to log files, that while encrypted, could be accessed by about 110 unauthorised engineers.

The Guardian understands that pins were mis-stored for up to six months, and that the situation has since been reported to the Information Commissioner’s Office as a precaution.

About one in five of the bank’s 2.6 million customers, or around 480,000 UK accounts, have been affected.

Monzo pushed ahead with an app upgrade early on Saturday morning after discovering the flaw, and worked throughout the weekend to delete the information it had incorrectly stored. That process was completed on Monday.

Monzo insisted that no one outside the bank had access to the pins and said it had no evidence suggesting the data was misused.

“We’ve checked all the accounts that have been affected by this bug thoroughly, and confirmed the information hasn’t been used to commit fraud,” Monzo said in a blogpost.

“Just in case, we’ve messaged everyone that’s been affected to let them know they should change their pin by going to a cash machine.”

The bank also sent emails to potentially affected customers on Monday, apologising for having mismanaged the sensitive data.

While the issue is said to have been resolved, it is one of the worst IT problems to hit the app-only bank since its launch in 2015.

Sign up to the daily Business Today email or follow Guardian Business on Twitter at @BusinessDesk

Last week Monzo was affected by a temporary outage that meant some card purchases were failing to go through. Others were unable to login or receive bank transfers.

The brand, known for its hot coral pink cards, is particularly popular among millennials in the south-east but is quickly spreading across the UK. With plans to expand to the US its chief executive, Tom Blomfield, expects the bank to grow to 3 million customers in a matter of months.

Blomfield’s growth plans have been fuelled by a fresh round of funding announced in June, which helped Monzo double in value to £2bn.