Monzo has urged 480,000 customers to change their secure Pins, after this information was made available to more than one hundred staff members.
Up to one in five of the digital bank’s 2.6 million customers were affected. While no fraud was detected as a result of the glitch, customers should take precautions to protect their accounts.
Find out how Pins were left exposed and what you need to do if you bank with Monzo.
How were Monzo Pins exposed?
Monzo generally stores Pins in a secure part of its internal system, with ‘tight controls’ over which staff members can access the information.
Last week, however, Monzo discovered that hundreds of thousands of Pins were also being recorded in a separate section of the internal system, as part of the log files. These ‘log files’ record events on the company’s operating system.
While this data was protected by encryption, up to 110 Monzo engineers had access to it, despite having no authorisation. These files have now been deleted.
With most banks, Pins are used primarily to authorise transactions on your debit card. At Monzo, however, you use the same Pin to authorise transactions via the app. Monzo has confirmed it will continue using the same Pin for the app and cards.
Monzo confirmed that all accounts have been checked for fraud, and that none was found as a result of the glitch.
Monzo chief executive Tom Blomfield said: ‘We’ve deleted the data and done a full review of our systems and are confident this information hasn’t been accessed or used in a fraudulent way.’
- Find out more: challenger and mobile banks
How to change your Monzo Pin
Monzo has contacted any customers who were affected via email, urging them to change their Pin ‘as a precaution’.
To do this, you’ll need to take your card to a cash machine and enter your old Pin. You should then select the option ‘Pin services’, and ‘select a new Pin’, to enter a new number.
Customers who are abroad, or can’t easily access an ATM, should get in touch with Monzo through in-app chat.
Monzo also asked customers to update their app by downloading the latest versions from the App Store or Play Store.
If your contact details aren’t up-to-date with Monzo, or you have other concerns, you should contact the bank through the in-app chat or the phone number on the back of your debit card.
Am I at risk of fraud?
No customers have suffered fraud as a result of what happened, Monzo has confirmed. Indeed, in order to make a transaction on your account, Monzo staff would also have required access to your card, unlocked mobile phone or email account.
Nonetheless, if you’re worried, it’s worth monitoring your transactions over coming months for any suspicious activity.
If you notice an unauthorised transaction, you should report it to Monzo as soon as possible.
Like other banks, Monzo will refund unauthorised transactions on your card, provided you haven’t been careless. While it hasn’t yet signed up to be a signatory to the new code on bank transfer fraud, it has committed to upholding its principles.
- Find out more: my card has been lost or stolen and used to purchase goods
Is Monzo safe to use?
Monzo is one of the fastest-growing banks in the UK, with around 2.6 million customers.
The bank’s main draw is its instantaneous updates. As soon as a transaction is made, you’ll get a notification, making it much easier to spot fraud the moment it happens.
If your card goes missing, you can freeze it via the app. Or, if you lose your phone, you can login via the Monzo website and freeze your account.
iPhone users can also turn on a location-based security feature to block potentially fraudulent transactions. For example, if your phone is at your home in London but the payment is being made from abroad.
In our most recent banking survey, Monzo Bank was named a Which? Recommended Provider, topping our table with an 86% customer score.
- Find out more: best and worst banks
How secure is my Pin?
Any time you set a Pin, you should make sure it’s not easy to guess – avoid, for example, using your birthday or 1234.
While your bank should offer refunds for unauthorised card transactions, you may not be protected if you carelessly shared your Pin with the fraudster.
For this reason, you should never use your Pin for any other type of secure code, like a gym locker or bike lock, where someone could easily watch you. Cover your hand when entering your Pin at a till or ATMs, and be wary if anyone is standing close behind you. And, of course, don’t leave your Pin written down anywhere, even as a reminder.
- Find out more: I think I may have given a fraudster my bank details