Mobile-only bank, Monzo is the latest victim of a data breach, with the UK-based bank requesting their customers to change their PIN (Personal Identification Number). Upon initial inspection, the bank determined that the customers’ account PIN were recorded into log files which then were made accessible by their own staff. Monzo opened a blog entry on their official site to serve as a guide for their customers after the discovery of the bleach.
“On Friday 2nd August, we discovered that we’d also been recording some people’s PINs in a different part of our internal systems (in encrypted log files). Engineers at Monzo have access to these log files as part of their job. We’ve deleted the information that we stored in this way. As soon as we discovered the bug, we immediately made changes to make sure the information wasn’t accessible to anyone in Monzo,” explained Team Monzo.
Monzo released a new version of their app which is patched not to leak information to the log files. These updated versions are now freely downloadable via Apple App Store and Google Play Store. The company has emphasized that nobody outside the company had accessed or even had a chance to view the leaked PINs. Though it is not yet clear as of this writing if the engineers who were able to receive access to account PINs were under a non-disclosure agreement prior to what the Mondo considered as a bug.
“Just in case, we’ve messaged everyone that’s been affected to let them know they should change their PIN by going to a cash machine. The issue affected less than a fifth of UK Monzo customers. If we’ve contacted you to tell you that you’ve been affected, you should head to a cash machine to change your PIN to a new number as a precaution,” added Team Monzo.
The bank clarified that those who were not affected will not receive any email from Monzo, they strictly sent emails only to those that are confirmed as part of their investigation. Instructions on how to change the PIN through an ATM terminal is also included in the email. “If you think you see anything unusual on your account, please get in touch with us straight away through in-app chat or by ringing the phone number on your debit card. If we haven’t emailed you, you haven’t been affected. But you should still update your app to the latest version. We’re really sorry about this. Please get in touch with us if you have any questions or concerns,” concluded Monzo.
The United Kingdom’s Information Commissioner’s office has the full jurisdiction of hacking cases, with full coordination with the Financial Conduct Authority of the UK. Long-term customers of the bank went to Monzo’s own feedback forum to complain about what they call mandatory PIN change, given that the issue happened only internally – and customers should not be hassled for the negligence of the company.
An internal agreement inside Monzo has been established, where employees clarified that even though some of them got a hold of customers’ individual PINS, it will remain as confidential. This is for the fact that the account PIN in itself cannot be used for any financial transactions. The employee who maliciously wishes to abuse the PIN needs to have the actual debit/credit card of the customer in order to complete a transaction, which is highly unlikely to happen in this case.