Monzo, a digital bank based in the UK, has recently emailed 480,000 UK customers, advising them to both update their Monzo app and change their PIN. The reason for the mass email alert? The digital bank left half a million PINs exposed in log files that were accessible to Monzo’s engineers. Although these PINs were encrypted, it is poor security practice to allow employees who aren’t cleared to have access to sensitive data.
The issue was discovered on Friday August 2nd, ending a six-month long exposure of sensitive data. Monzo claims that shortly after the bug was discovered, they made the necessary changes.
“By 5:25am on Saturday morning, we had released updates to the Monzo apps. Over the weekend, we then worked to delete the information that we’d stored incorrectly, which we finished on Monday morning.”
There seems to have been no damage caused by the leak. “We’ve checked all the accounts that have been affected by this bug thoroughly, and confirmed the information hasn’t been used to commit fraud,” Monzo said.
Priyesh Patel, a Monzo community leader, told Monzo users that the bug affected users who either received a reminder of their card number or cancelled a standing order. Still, as many users claimed, you didn’t have to fall under these categories to have received an email. The caution that Monzo displayed was appreciated by its community. Still, as companies become more proactive in reporting these situations to users, it gives customers a peak into the fragility of data privacy. We’re only a bug away before sensitive information shows up in log files.