Hayes Connor Instagram Advert about Monzo

Just seen this paid advertisement on Instagram from Hayes Connor:

Ad links to: https://www.hayesconnor.co.uk/is-monzo-bank-losing-its-shine-after-a-series-of-data-breaches/

Everything they say seems to be a bit of a stretch to me but what do you guys think :thinking:

“Has Monzo lost its shine after a series of data breaches?”

1 Like

I wasn’t aware they’d had a series of data breaches. Did I miss something?


Never heard of them. Wouldn’t click their ad. Won’t click the link.


that’s definitely “a no win no fee” deal right there


I’d forgotten Typeform

Apparently they “specialise in data breach and cyber crime compensation claims”.

Which I guess makes them the internet equivalent of ambulance chasers.

I don’t know if there’s any body that Monzo can complain to about the advert, but I would hope they’d look in to it. The “series of data breaches” claim is flase - one incident with PINs does not a series make.

(Also while they may be technically correct to call the PIN issue a ‘data breach’, it’s not one in the sense that the general public (I believe) would understand the term - that is, they would take it to mean that an outside party has breached Monzo’s servers and gained access to information (the classic data dump hack, say). Again, poor form, IMO.)


I’ve already put it in CC channel :+1:

Thanks to @Modo for posting this


Read the article. I have nothing nice to say about it, so I’ll say nothing. But to answer my own earlier question, no I didn’t miss anything.

1 Like

The pin issue, in my opinion as a customer, is a non starter. Yes it was a problem, and I got the email, but it was plugged and non of that data left the company.

It’s not Boeing or British Airways level stupid where the company has no idea what it’s doing with people’s data.

I see nothing wrong with that article, it’s pointing out what happened and just wording it in a sensationalistic way.

No point in saying none of it happened when it did.

If they wanna make something of it then so be it.

I would say the PIN issue was a near miss at most. A breach is where data actually leaks, or is misused.


Sound like an ambulance chaser firm, especially if you read their disclaimer. I’ve never heard of them.

1 Like

The article appears to be factually correct though it reads very much like it was written by a tabloid journalist. Sounds like the digital equivalent of InjuryLawyers4U!

I don’t endorse what they’re doing - in fact, I very much dislike this type of activity. However, just for clarity, the recent PIN issue WAS a security breach. Information doesn’t have to make its way into the bad guys’ hands to be considered a breach. In this case, the confidentiality of the information was not preserved, i.e. it was accessible to unauthorised people. The ICO’s own definition of a breach is:

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.

It doesn’t follow that everyone affected should be claiming compensation, so I’m not advocating that. Monzo handled it well after becoming aware. I hope they improve their internal processes as a result as there are definitely lessons to be learned. Some of the communication afterwards could have been better too, e.g. I’m not sure if there’s been a definitive answer on liability for those who don’t change their PINs.


Out of interest, from the list in ICO’s definition (destruction, loss, alteration, unauthorised disclosure of, or access to, personal data), which are you suggesting took place here?

I fully accept there could be an account somewhere that I’m missing - but as far as I can tell from what Monzo have said, the data was not disclosed to anyone and - from Simon VC’s tweet above, the logs were never viewed so it’s not accidental access.

I think this situation could be characterised as a having the potential to become a security breach by the ICO’s definition – but Monzo noticed and intervened before it did.


The PIN - information that needed to be secured - was written to log files accessible by people who weren’t authorised to access that information. The confidentiality wasn’t maintained. Surely if there was no risk to the confidentiality of the data there would be no need for anyone to change their PIN? Yet that is what Monzo have advised and, in messages to some customers, have indicated that failure to do so would make the customer liable for any card fraud in the future.

1 Like

Yes - and until it’s accessed by someone who wasn’t authorised to see that data, it’s not a breach by the ICO definition quoted. It absolutely had the capacity to become one and what I’m saying doesn’t do anything to minimise the potential adverse outcome, but there’s a difference between a “near miss” and a breach. Lessons should absolutely be learned.

Monzo have taken the cautious approach here – as you would hope anyone else handling sensitive data and money would do – and recommended people change their PIN “as a precaution” despite no indication of access to the log files.

It’s important to note that Monzo are not requiring people to change their PIN – which is the course of action you would reasonably expect if they had any information to indicate that there was a likely or even probable risk to the confidentiality of the data rather than a possible or unlikely risk.


Engineers at Monzo have access to these log files as part of their job.

That’s taken from the email sent to affected customers.

Also, if you read further up the thread, at least one customer has been told by a Monzo staff member that failure to change their PIN would maker them liable for any future fraudulent transactions.

I stand by what I posted - the confidentiality has not been maintained.

1 Like

Is there a link for this please?

There is an important difference between having access to and accessing.

For example, COps reasonably have access to customer address information [so that they can do ID verification, change of address etc.] but if someone accessed that information without a valid reason to do so, then that would be a breach.

Obviously, these two situations aren’t entirely analogous – but the important correlation as far as it being a breach under law (your allegation above) is the actual accessing of data.

The message from Monzo staff members has been that Monzo is not taking responsibility for all future PIN-present fraudulent transactions and that they would have to investigate as they do in all cases of alleged fraud. By changing your PIN, you are removing all risk from this incident – Monzo are leaving this choice to individuals affected (of which I am one, I received the email and know that I used one of the two affected features).

You are making really serious allegations in this thread, including ones which, if based in fact, could see severe penalties imposed on Monzo.