Following a potential General Data Protection Regulation (GDPR) breach, digital bank Monzo has made contact with 500,000 of its customers to advise them to change their personal identification number (PIN).

Monzo became aware of the data protection breach last Friday, August 2. It was discovered that 25% of their UK customers’ PINs were saved to encrypted log files internally. For a time period of six months these log files could only be accessed by Monzo engineers.

By Saturday Monzo engineers had published an update to the app and by Monday it had deleted the incorrectly stored data. Anyone who was impacted by the breach was sent an email to those advising them to amend their PIN and update to the latest version of the app.

In a corporate blog post Monzo said: “We’ve checked all the accounts that have been affected by this bug thoroughly, and confirmed the information hasn’t been used to commit fraud. Just in case, we’ve messaged everyone that’s been affected to let them know they should change their PIN by going to a cash machine.”

It went on to apologise saying: “If you think you see anything unusual on your account, please get in touch with us straight away through in-app chat or by ringing the phone number on your debit card. If we haven’t emailed you, you haven’t been affected. But you should still update your app to the latest version. We’re really sorry about this. Please get in touch with us if you have any questions or concerns.”

If Monzo is found to have breached GDPR it faces a heavy financial penalty, up to €20m or 4% of annual global revenue for the previous year – whichever figure is higher. A the incident occurred in the United Kingdom it will be fully investigated by the Information Commissioner’s Office (ICO). However, the incident was reported to ICO within the required 72-hour time period following the identification of the data breach.

This is poor timing for the digital bank as it has recently been progressing plans to expand it’s operation into the United States.