Nearly half a million customers of Monzo have been advised to change their PINs after their information was left in an insecure file, available to an estimated 110 engineers for half a year.
The UK-based mobile-only bank announced on 5 August 2019 that less than a fifth of their customers' PIN numbers had been theoretically vulnerable to their employees. This totals to around 480,000 people.
The source of the problem was apparently a bug in the mobile app, which was triggered if the user used one of two features: receiving a reminder of their card number and cancelling a standing order. The PINs were held erroneously in encrypted log files created by customers who used these services.
Guy Warren is chief executive of the ITRS Group, a supplier of technology to 190 banks worldwide. He told Wired UK: “It was a design flaw when building the application. That data shouldn’t have been stored in a log file. Design review should have caught that before building.”
Some users claimed that they still received an e-mail advising them to change their PINs despite never using these services, but one Monzo employee said that they are sure that these are the only two features affected.
The security breach is an internal one, as Monzo have said no one outside the bank has had access to these PINs. They assured customers that they have checked all affected accounts and confirmed their information has not been used fraudulently.
Some of Monzo's customers have complained at having to go to the effort of changing their PINs at ATM machines for something that is ultimately not their fault. Others have raised concerns about Monzo's unprofessionalism as they notified customers of this incident via email and not through an in-app notification, which was then assumed to be a scam/phishing attempt.
While Monzo hasn’t pinpointed exactly how the issue occurred, it it is speculated as being simple human error, as every process in an electronic banking system needs to be coded at some point.
Cybersecurity expert Graham Cluley also told Wired UK that advising customers to change their PINs is the best course of action. Although there has been no evidence of outside fraud, people are more likely to duplicate their PIN numbers across different bank accounts, and so these accounts could also now be at risk.
“You find there’s a high preponderance of PINs starting with '19' and the reason is people will use their birth year,” said Cluley. “You should be just as random in your choice of PIN as in your choice of password.”
The company says they have now deleted the leaked PINs and made changes to the Monzo mobile apps to prevent this from happening again. They have also informed the UK Information Commissioner’s Office (ICO), the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) of the incident.