Monzo, an UK digital bank, admits to a data breach that affects more than 500,000 customers.
According to their blog post, they ask for a PIN whenever individuals want to make a payment, or do anything else that's sensitive on the Monzo account. As a bank, they keep a record of the PIN so Monzo can check the PIN has been entered correctly. The PINs are stored "in a particularly secure part of [their] systems," and are "tightly" controlled who at Monzo can access them.
They discovered that Monzo had also been recording some people’s PINs in a different part of the internal systems (in encrypted log files), which engineers at Monzo had access to these log files as part of their job. As soon as Monzo discovered the bug, they "immediately made changes to make sure the information wasn’t accessible to anyone in Monzo". They have since released updates to the Monzo apps and worked to delete the information that they'd stored incorrectly.
"No one outside Monzo had access to these PINs. We’ve checked all the accounts that have been affected by this bug thoroughly, and confirmed the information hasn’t been used to commit fraud. Just in case, we’ve messaged everyone that’s been affected to let them know they should change their PIN by going to a cash machine," says the blog.
The issue affected less than a fifth of UK Monzo customers. "If we’ve contacted you to tell you that you’ve been affected, you should head to a cash machine to change your PIN to a new number as a precaution," they recommend.