UK startup bank Monzo is sending out a warning to its 480,000 customers to reset their PINS after the company’s security team discovered a software bug.
The said bug allowed PINS of customers to be stored unencrypted in plaintext. This means that attackers were able to steal confidential information such as names, addresses, email address, phone numbers and more.
In an article published by Data Breach Today, it is said that the bank’s internal systems only allow limited access but because of the bug, more employees were able to access confidential data.
The bank already deleted the unsecured PINS and sent out a notice to its 480,000 customers to reset their PINS and avoid fraudulent transactions.
Meanwhile, there was still no customer who has reported a fraudulent activity from his or her account. While this is considered good news, the bank wants customers to be prepared and to do necessary precaution to avoid problems.
According to the blog published by Monzo, “No one outside Monzo had accessed to these PINs. We’ve checked all the accounts that have been affected by this bug thoroughly and confirmed the information hasn’t been used to commit fraud.”
The Guardian reports that this vulnerability lasted for six months and was reported to the UK’s watchdog agency for consumer privacy issues, which is the Information Commissioner’s Office.
Monzo is a huge startup company in the UK which has over 2 million customers and is valued $2 billion. The company already planned out a new banking app for its US clients, which will allow customers to connect their Mastercard debit card to the app.
This approach will also complicate things as customers not only need to change their PINs but also update the application on Android or iOS devices.
Data Breach Explained
Cybersecurity experts like Graham Cluley said that this particular incident happened because the bank is ‘providing too much access to a particular file to many people.’ Cluley also added that the data should not be stored in a log file and that ‘it was a design flaw when building the application.’
Some experts also claimed that given Monzo is a new digital bank, they should’ve been more careful. Monzo is not even aware that network permissions had already gone wrong as too many people have access to sensitive data.
Monzo still hasn’t published anything to explain how the issue occurred but according to experts, every process in the electronic banking needs to be updated and coded.