Monzo log file security blunder forces PIN reset for 480,000 customers

Users of mobile bank Monzo will need to use cash machines belonging to conventional rivals to reset their PINs

Monzo, the self-styled ‘bank of the future', has forced a PIN reset on 480,000 customers after admitting that it had been storing some customers' PINs incorrectly.

As a result, more than 100 engineers may have had access to the customers' PINs in Monzo's systems who should not have had access to them. Monzo claims, however, that the PINs remained encrypted and that there is no evidence of compromise in any way.

"No one outside Monzo had access to these PINs. We've checked all the accounts that have been affected by this bug thoroughly, and confirmed the information hasn't been used to commit fraud," the bank reassured customers in a mea culpa blog posting.

The bank explained: "As your bank, we keep a record of your PIN so we can check you've entered it correctly. We store them in a particularly secure part of our systems, and tightly control who at Monzo can access them.

"On Friday 2nd August, we discovered that we'd also been recording some people's PINs in a different part of our internal systems (in encrypted log files). Engineers at Monzo have access to these log files as part of their job.

"We've deleted the information that we stored in this way. As soon as we discovered the bug, we immediately made changes to make sure the information wasn't accessible to anyone in Monzo."

The company issued updates to its apps on Saturday morning, whereupon it deleted the log files that had been stored incorrectly.

However, the 480,000 customers notified by Monzo will need to go to a cash machine - belonging to a conventional, High Street bank or building society - to change their PINs.

The security flaw is a minor embarrassment for a bank that blasted Ticketmaster with both barrels over its security blunder last year, in which it enabled Magecart hackers to steal customers' personal details, including all their payment card details, over the course of several months.

Spotting a pattern of fraudulent activity that it traced to Ticketmaster, Monzo's security staff notified Ticketmaster - only to be told by Ticketmaster that it had investigated thoroughly and found nothing.

British Airways was compromised in a similar attack by Magecart just months after Ticketmaster was hit. Unfortunately for BA, its attackers struck after GDPR had come fully into force, putting it in line for a fine of as much as £183 million, the ICO has indicated.