Banking start-up exposes PINs for 500,000 customers on the verge of US launch

Banking start-up Monzo has sent out emails to half a million customers after its engineers caught a glimpse of the PIN numbers associated with their cards.

The British banking service, which serves 2.5 million customers, recently secured a new round of funding and is about to launch in the United States. It was going fine until the company somehow failed to secure PIN numbers for customers’ cards and accidentally exposed them to its staff. One in five of those customers is now receiving the following notification:

“On Friday 2nd August, we discovered that we’d also been recording some people’s PINs in a different part of our internal systems (in encrypted log files). Engineers at Monzo have access to these log files as part of their job.”

Monzo assures customers that it took steps to rectify the situation as soon as it discovered the bug that caused it. It also claims no one outside the company had access to the PINs, and that the information hasn’t been used to commit fraud.

“Just in case, we’ve messaged everyone that’s been affected to let them know they should change their PIN by going to a cash machine,” reads the notice.

If that includes you, it’s highly recommended that you follow Monzo’s advice. If you haven’t received the email, you’re not affected. However, the company still wants you to make sure the Monzo app is up to date on your iOS or Android device. This has nothing to do with the PIN-leaking bug. Rather, it just ensures things run smoothly with the service.

A few disgruntled customers writing on the company’s community forum believe they shouldn’t have to take any action, this being Monzo’s blunder, not theirs.

“This is not good. I don’t want to change my PIN because someone at Monzo has made a mistake,” a user identified as Drew58 wrote. “I’ve kept my side of keeping things safe doesn’t sound like Monzo have. I’m sure a few will disagree but I’m not the one who has done anything incorrect here.”

Drew is right in that it was Monzo’s fault to begin with. However, now that customers are armed with this information, they’d be negligent to postpone changing their PIN number. The situation in no way differs from having your password leaked in a data breach, with the service operators urging you to change your password because hackers now have it. Sometimes, bad things just happen. Of course, that doesn’t exonerate Monzo. Their security practices were lax and they should have known better than to misuse customer data like that, especially with today’s harsh data privacy laws.

*** This is a Security Bloggers Network syndicated blog from HOTforSecurity authored by Filip Truta. Read the original post at: