The digital bank Monzo has advised almost 480,000 customers to change their personal identification numbers (PINs) after discovering a security bug.
In a statement on Monday, Monzo said it stored customer PINs in a “particularly secure” part of its systems and “tightly controlled” access to the information within the company.
However, on Friday, the bank discovered that it had also been recording some customers’ PINs in encrypted log files, which its engineers have access to.
After discovering the problem, the bank – which is valued at $2.4bn – referred the data mishandling to the Information Commissioner’s Office, a UK data regulator.
Over the weekend, Monzo deleted the information stored on the logs and released an update to its apps, as well as informing customers of the bug.
“We’ve checked all the accounts that have been affected by this bug thoroughly, and confirmed the information hasn’t been used to commit fraud,” Monzo said in the statement.
Regardless, the bank urged customers to visit a cash machine to change their PIN.
About one in five of the bank’s 2.6 million customers have reportedly been affected in what is the worst IT problem to hit the app-only bank since its 2015 launch.
The brand is popular with young people in the United Kingdom and plans to launch in the United States soon. It recently raised $117m with the help of Y Combinator Continuity, a Silicon Valley firm that helped launch Dropbox and Airbnb.
No information's been exposed outside Monzo, and this data hasn’t been used for fraud.
You should update your app, and we're emailing everyone that’s been affected to let them know they should change their PIN as a precaution.
Read our full update 👇https://t.co/cKf5p5I87w
— Monzo (@monzo) August 5, 2019