Monzo Stored Customer PINs in Log Files

Written by

Online bank Monzo was red-faced this week after admitting a flaw in the way it stored its customer credentials.

The digital, mobile-only bank, headquartered in the UK, told customers over the weekend that it had been insecurely storing the PINs that they use to access their accounts.

The company stored customer PINs in what it described as a "particularly secure part of our systems," but on Friday, August 2, it also noticed that it had been storing PINs in its log files as well.

The log files are encrypted, but the company admitted that its engineers had access to them.

It updated the Monzo mobile apps by 5:25 am local time on Saturday morning and then spent the rest of the weekend deleting the information.

"We’ve deleted the information that we stored in this way. As soon as we discovered the bug, we immediately made changes to make sure the information wasn’t accessible to anyone in Monzo," the company said in a post on Sunday, August 4.

The slipup affected fewer than one in five of its UK customers, the bank said. That's because only two features triggered the accidental PIN storage: getting a reminder of your card number and cancelling a standing order. It still amounts to around 480,000 customers, though.

The bank said that it has already contacted people that had been affected. Those customers should go and change their PINs at a cash machine, it advised.

No one outside the company had access to the PINs, it said, adding that it checked to ensure that the information hadn't been used to commit fraud.

The incident highlights the difficulty in notifying large numbers of customers about cybersecurity issues. Monzo emailed customers, but several complained that they thought it was a scam or only saw the email by chance.

"I too received this and it was in my spam. Should I have not seen this thread (like a huge portion of customers won’t) I wouldn’t have known," said one person. "Not at all bothered about the security issue by the way and I appreciate the transparency but just better notification needed."

What’s hot on Infosecurity Magazine?