1 in 5 Monzo customers have been affected.
Around 100 unauthorised Monzo staff had access to customers PIN numbers for the last 6 months.
Monzo’s statement added that they are ‘really sorry about this’.
Monzo Security Bug
A bug in the Monzo system meant that bank card PIN numbers of their customers were copied and stored as plain-text on to log files. Although this being the case, all PINs stored by Monzo were and are currently encrypted.
Although unauthorised staff had access to this sensitive customer data, Monzo have said;
“No one outside Monzo had access to these PINs. We’ve checked all the accounts that have been affected by this bug thoroughly, and confirmed the information hasn’t been used to commit fraud.” – Monzo, Blog Post
How did this Happen?
The security bug occurred when Monzo customers used any of two specific features within their mobile banking apps; the card number reminder and the cancelling standing order feature. Using these features, Monzo customers are asked to re-enter their PIN for authorisation purposes. However, when customers entered their PIN, it was then copied and stored within Monzos internal logs where they were then visible to unauthorised staff.
Monzo Rectify their Security Issue
Upon discovering the major security bug on Friday 2nd August, changes were immediately made to stop unauthorised staff from accessing the sensitive customer information.
By 5.25am on Saturday 3rd August, Monzo had released updates to their mobile banking apps with a fix to their security bug. The new updated version of their Monzo app now stops any more customers details from being duplicated and stored as plain-text within log files.
Over the weekend Monzo staff then worked to delete any stored information.
Information Commissioner’s Office
Monzo have reported the mishandling of their customer data to the ICO and the ICO are now assessing the matter.
Financial Conduct Authority
According to the Financial Times, the FCA are “aware of the issue” but have declined to comment further.
Are you a Monzo Customer?
If you are an affected Monzo customer you need to do two things;
1. Change your PIN. Go to your nearest ATM cash machine (asap), insert your Monzo card, enter your current PIN, choose ‘PIN Services’, then select ‘Select a new PIN’ and change your PIN to a new number
2. Update your Monzo mobile banking app to the latest (unaffected) version (The latest versions of the app are iOS 2.59.0 and Android 2.59.1)
3. Check your account. Look over your payments and if you see anything unusual, contact Monzo straight away through the in-app chat or by ringing the phone number on the back of your debit card.
If your Monzo account was affected, you will have received communication from Monzo via email. If you haven’t received an email, it may still be best to update your PIN, however, Monzo have stated that the vast majority of their customers who weren’t affected should need to update their PIN or take any other action. If you weren’t affected, Monzo have said that you should still update your mobile banking app to the new version.
Who are we?
Suits Me® is an alternative solution based in the UK for the unbanked and underbanked. A Suits Me® account provides our customers with an account and a contactless Mastercard® debit card and a multitude of banking-like features including;
At Suits Me® we take our security and customer privacy very seriously.
- We abide by all data laws and protect all our customers’ data to both the outside world and to unauthorized Suits Me® staff.
- Our website is fully encrypted. We have site-wide HTTPS with an SSL (Secure Socket Layer) certificate on our website www.suitsmecard.com protecting all of our website pages.
- Debit card PINs are not sent via the post
- PINs are retrieved either through the secure mobile banking app or *IVR (Interactive Voice Response) line
- The Suits Me® mobile banking app is accessed via a 5 digit mPIN or fingerprint technology
- Suits Me® customers are frequently requested to change their online banking account password for security
- Customers can reset their PIN within their Suits Me® mobile banking app
- Customers can manage a level of security of their card within the mobile banking app by blocking (freezing) their card and reporting it as lost or stolen.
*IVR (Interactive Voice Response) is a type of technology that is generated by a computer. It allows computers to communicate with humans using voice and DTMF tones.
How to Open a Suits Me® Account
Applying for a Suits Me® account is quick and easy with no credit checks. Once you have applied online, your Suits Me® account will be open within minutes with instant access to your account number and sort code, online account facility and mobile app to start managing your finances. Your contactless Mastercard® debit card will arrive in the post within 3-5 working days.