Monzo says it wasn’t storing ‘some’ customer PINs correctly, but has now fixed the bug
Monzo, the fast-growing challenger U.K. challenger bank that recently soft-launched in the U.S., is disclosing a potential, albeit relatively limited, security oversight that saw customer PINs stored incorrectly within the company’s internal systems.
Discovered on Friday, the “bug” has now been squashed after being spotted by one of Monzo’s security engineers, co-founder and CEO Tom Blomfield told me on a call just a few moments ago. Specifically, the security lapse meant that some customer PINs were simultaneously stored in encrypted log files accessible by certain Monzo staff.
Although an audit hasn’t surfaced any fraud as a result, the bank was emailing affected customers to inform them what had happened and to advise that they change their PIN. Being totally transparent “is the right thing to do,” said Blomfield.
In a blog post just published, Monzo provides the following context for the bug, including who could access customer app PINs as a result:
We ask for your PIN whenever you want to make a payment, or do anything else that’s sensitive on your Monzo account.
And as your bank, we keep a record of your PIN so we can check you’ve entered it correctly. We store them in a particularly secure part of our systems, and tightly control who at Monzo can access them.
On Friday 2nd August, we discovered that we’d also been recording some people’s PINs in a different part of our internal systems (in encrypted log files). Engineers at Monzo have access to these log files as part of their job.
Monzo says it has since deleted the PIN information that was stored in this way, and that by 5:25am on Saturday morning, it had released updates to the Monzo apps. “Over the weekend, we then worked to delete the information that we’d stored incorrectly, which we finished on Monday morning,” writes the bank.
Next step: emailing the half a million customers affected, less than a fifth of U.K. Monzo customers.
“If we’ve contacted you to tell you that you’ve been affected, you should head to a cash machine to change your PIN to a new number as a precaution,” advises Monzo. “You can do this by putting your Monzo card into the cash machine, entering your old PIN and choosing ‘PIN services’. Then choose ‘Select a new PIN’ and change it to a new number”.
If goes without saying that if you are a Monzo user and spot anything unusual on your account, you should get in touch with Monzo immediately via in-app chat or by calling the phone number listed on your Monzo debit card.
Meanwhile, the security disclosure comes about a month after Monzo announced £113 million (~$144m) in additional funding. Confirming TechCrunch’s scoop in April, the Series F round was led by Y Combinator’s “Continuity” growth fund, and gave the company a new £2 billion (~$2.5b) post-money valuation.