After a possible General Data Protection Regulation (GDPR) breach, digital banking group Monzo has alerted 500,000 of its customers to advise them to amend their personal identification number (PIN).

Monzo discovered a data breach on Friday, August 2. It was noticed that 25% of their UK customers’ PINs were saved in encrypted log files inside the organization. For six months those log files could be viewed by Monzo engineers.

By Saturday, Monzo engineers had released an update to the application and by Monday it had deleted the incorrectly stored data. Anyone who affected by the breach was sent an email telling them to alter their PIN and update to the latest version of the application.

A statement was published on Monzo’s corporate blog saying, “We’ve checked all the accounts that have been affected by this bug thoroughly, and confirmed the information hasn’t been used to commit fraud. Just in case, we’ve messaged everyone that’s been affected to let them know they should change their PIN by going to a cash machine. If you think you see anything unusual on your account, please get in touch with us straight away through in-app chat or by ringing the phone number on your debit card. If we haven’t emailed you, you haven’t been affected. But you should still update your app to the latest version. We’re really sorry about this. Please get in touch with us if you have any questions or concerns.”

The breach was reported to Information Commissioner’s Office (ICO) within the mandatory 72-hour time period following the identification of the data breach. If it is ruled that Monzo has violated GDPR then the company could be sanctioned with a massive financial penalty, up to €20m or 4% of annual global revenue for the previous year – whichever figure is greater. Due to the fact that breach occurred in the United Kingdom it will be fully examined by the ICO.

This is unfortunate timing for the digital bank as it has recently been developing plans to increase its share of the U.S. market.