Business
Monzo says it wasn’t storing ‘some’ customer PINs correctly, but has now fixed the bug
Monzo, the fast-growing challenger U.K. challenger bank that recently soft-launched in the U.S., is disclosing a potential, albeit relatively limited, security oversight that saw customer PINs stored incorrectly within the company’s internal systems.
Discovered on Friday, the “bug” has now been squashed after being spotted by one of Monzo’s security engineers, co-founder and CEO Tom Blomfield told me on a call just a few moments ago. He said that even though an audit hasn’t surfaced any fraud as a result, the upstart bank was emailing affected customers to inform them what had happened and to advise that they change their PIN, because being totally transparent “is the right thing to do”.
In a blog post just published, Monzo provides the following context for the bug, including who could access customer app PINs as a result:
We ask for your PIN whenever you want to make a payment, or do anything else that’s sensitive on your Monzo account.
And as your bank, we keep a record of your PIN so we can check you’ve entered it correctly. We store them in a particularly secure part of our systems, and tightly control who at Monzo can access them.
On Friday 2nd August, we discovered that we’d also been recording some people’s PINs in a different part of our internal systems (in encrypted log files). Engineers at Monzo have access to these log files as part of their job.
Monzo says it has since deleted the PIN information that was stored in this way, and that by 5:25am on Saturday morning, it had released updates to the Monzo apps. “Over the weekend, we then worked to delete the information that we’d stored incorrectly, which we finished on Monday morning,” writes the bank.
Next step: emailing the half a million customers affected, less than a fifth of U.K. Monzo customers.
“If we’ve contacted you to tell you that you’ve been affected, you should head to a cash machine to change your PIN to a new number as a precaution,” advises Monzo. “You can do this by putting your Monzo card into the cash machine, entering your old PIN and choosing ‘PIN services’. Then choose ‘Select a new PIN’ and change it to a new number”.
If goes without saying that if you are a Monzo user and spot anything unusual on your account, you should get in touch with Monzo immediately via in-app chat or by calling the phone number listed on your Monzo debit card.
More to follow…
-
Entertainment7 days ago
OpenAI’s plan to make ChatGPT the ‘everything app’ has never been more clear
-
Entertainment6 days ago
‘The Last Showgirl’ review: Pamela Anderson leads a shattering ensemble as an aging burlesque entertainer
-
Entertainment7 days ago
How to watch NFL Christmas Gameday and Beyoncé halftime
-
Entertainment6 days ago
Polyamorous influencer breakups: What happens when hypervisible relationships end
-
Entertainment5 days ago
‘The Room Next Door’ review: Tilda Swinton and Julianne Moore are magnificent
-
Entertainment4 days ago
‘The Wild Robot’ and ‘Flow’ are quietly revolutionary climate change films
-
Entertainment4 days ago
Mars is littered with junk. Historians want to save it.
-
Entertainment5 days ago
CES 2025 preview: What to expect