Mobile-only bank, Monzo, admits storing payment card PINs in internal logs

Tuesday 6 August 2019 10:07 CET | News

Monzo, a mobile-only bank operating in the UK, has admitted storing payment card PINs inside internal logs.

The company discovered the bug on Friday, August 2, 2019, and spent all weekend removing PIN numbers from its internal logs.

The issue occurred when Monzo customers used two specific features of their Monzo mobile apps, namely the feature that reminds users of their card number and the feature for cancelling standing orders. When Monzo customers used one of these two features, they would be asked to enter their account PIN, for authorisation purposes, but unknown to them, the PIN would also be logged inside Monzos internal logs.

Monzo said these logs were encrypted and that only a few employees had access to the data stored inside. The company said that all users should update their mobile apps. The company published an update for its mobile app on Saturday, August 3, 2019, so the apps will not send the account PIN code to Monzo servers anymore.

Users who had their PINs recorded in Monzos logs received email notifications. The number of affected users is around 480,000. Users who did not receive an email, were not impacted, the bank said.

Monzo launched in the UK in 2015 and it does not have any branches, as it operates solely via its mobile apps. In June 2019, the company announced plans to launch in the US.

Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: Monzo, challenger bank, mobile bank, banking, fintech, UK, bug, security issues, fraud prevention, payment card PINs
Countries: World