Monzo customers urged to change their PIN number following data gaff
UK digital challenger bank Monzo has warned that 480,000 of its customers’ bank card PINs were accidentally stored in plain text in log files recording user interactions with two of its mobile app features.
The log files themselves were encrypted and Monzo says that no one outside the company had access to them, but the logs were accessible to around 100 Monzo engineers who didn’t have clearance to deal with customer PINs.
In a blog post yesterday, Monzo said the security problem had been discovered on Friday and was fixed in the early hours of Saturday and the sensitive information deleted by yesterday morning.
“As your bank, we keep a record of your PIN so we can check you’ve entered it correctly,” it said. “We store them in a particularly secure part of our systems, and tightly control who at Monzo can access them.
“On Friday, we discovered that we’d also been recording some people’s PINs in a different part of our internal systems (in encrypted log files).”
Engineers at Monzo have access to these log files as part of their job.
“We’ve deleted the information that we stored in this way. As soon as we discovered the bug, we immediately made changes to make sure the information wasn’t accessible to anyone in Monzo. No one outside Monzo had access to these PINs.”
Monzo said it had emailed the customers who were affected and advised them to change their PIN and update their mobile apps.