Just seen this paid advertisement on Instagram from Hayes Connor:
Ad links to: https://www.hayesconnor.co.uk/is-monzo-bank-losing-its-shine-after-a-series-of-data-breaches/
Everything they say seems to be a bit of a stretch to me but what do you guys think 
āHas Monzo lost its shine after a series of data breaches?ā
I wasnāt aware theyād had a series of data breaches. Did I miss something?
Never heard of them. Wouldnāt click their ad. Wonāt click the link.
thatās definitely āa no win no feeā deal right there
Iād forgotten Typeform
Apparently they āspecialise in data breach and cyber crime compensation claimsā.
Which I guess makes them the internet equivalent of ambulance chasers.
I donāt know if thereās any body that Monzo can complain to about the advert, but I would hope theyād look in to it. The āseries of data breachesā claim is flase - one incident with PINs does not a series make.
(Also while they may be technically correct to call the PIN issue a ādata breachā, itās not one in the sense that the general public (I believe) would understand the term - that is, they would take it to mean that an outside party has breached Monzoās servers and gained access to information (the classic data dump hack, say). Again, poor form, IMO.)
Iāve already put it in CC channel 
Thanks to @Modo for posting this
Read the article. I have nothing nice to say about it, so Iāll say nothing. But to answer my own earlier question, no I didnāt miss anything.
The pin issue, in my opinion as a customer, is a non starter. Yes it was a problem, and I got the email, but it was plugged and non of that data left the company.
Itās not Boeing or British Airways level stupid where the company has no idea what itās doing with peopleās data.
I see nothing wrong with that article, itās pointing out what happened and just wording it in a sensationalistic way.
No point in saying none of it happened when it did.
If they wanna make something of it then so be it.
I would say the PIN issue was a near miss at most. A breach is where data actually leaks, or is misused.
Sound like an ambulance chaser firm, especially if you read their disclaimer. Iāve never heard of them.
The article appears to be factually correct though it reads very much like it was written by a tabloid journalist. Sounds like the digital equivalent of InjuryLawyers4U!
I donāt endorse what theyāre doing - in fact, I very much dislike this type of activity. However, just for clarity, the recent PIN issue WAS a security breach. Information doesnāt have to make its way into the bad guysā hands to be considered a breach. In this case, the confidentiality of the information was not preserved, i.e. it was accessible to unauthorised people. The ICOās own definition of a breach is:
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
It doesnāt follow that everyone affected should be claiming compensation, so Iām not advocating that. Monzo handled it well after becoming aware. I hope they improve their internal processes as a result as there are definitely lessons to be learned. Some of the communication afterwards could have been better too, e.g. Iām not sure if thereās been a definitive answer on liability for those who donāt change their PINs.
Out of interest, from the list in ICOās definition (destruction, loss, alteration, unauthorised disclosure of, or access to, personal data), which are you suggesting took place here?
I fully accept there could be an account somewhere that Iām missing - but as far as I can tell from what Monzo have said, the data was not disclosed to anyone and - from Simon VCās tweet above, the logs were never viewed so itās not accidental access.
I think this situation could be characterised as a having the potential to become a security breach by the ICOās definition ā but Monzo noticed and intervened before it did.
The PIN - information that needed to be secured - was written to log files accessible by people who werenāt authorised to access that information. The confidentiality wasnāt maintained. Surely if there was no risk to the confidentiality of the data there would be no need for anyone to change their PIN? Yet that is what Monzo have advised and, in messages to some customers, have indicated that failure to do so would make the customer liable for any card fraud in the future.
Yes - and until itās accessed by someone who wasnāt authorised to see that data, itās not a breach by the ICO definition quoted. It absolutely had the capacity to become one and what Iām saying doesnāt do anything to minimise the potential adverse outcome, but thereās a difference between a ānear missā and a breach. Lessons should absolutely be learned.
Monzo have taken the cautious approach here ā as you would hope anyone else handling sensitive data and money would do ā and recommended people change their PIN āas a precautionā despite no indication of access to the log files.
Itās important to note that Monzo are not requiring people to change their PIN ā which is the course of action you would reasonably expect if they had any information to indicate that there was a likely or even probable risk to the confidentiality of the data rather than a possible or unlikely risk.
āEngineers at Monzo have access to these log files as part of their job.ā
Thatās taken from the email sent to affected customers.
Also, if you read further up the thread, at least one customer has been told by a Monzo staff member that failure to change their PIN would maker them liable for any future fraudulent transactions.
I stand by what I posted - the confidentiality has not been maintained.
Is there a link for this please?
There is an important difference between having access to and accessing.
For example, COps reasonably have access to customer address information [so that they can do ID verification, change of address etc.] but if someone accessed that information without a valid reason to do so, then that would be a breach.
Obviously, these two situations arenāt entirely analogous ā but the important correlation as far as it being a breach under law (your allegation above) is the actual accessing of data.
The message from Monzo staff members has been that Monzo is not taking responsibility for all future PIN-present fraudulent transactions and that they would have to investigate as they do in all cases of alleged fraud. By changing your PIN, you are removing all risk from this incident ā Monzo are leaving this choice to individuals affected (of which I am one, I received the email and know that I used one of the two affected features).
You are making really serious allegations in this thread, including ones which, if based in fact, could see severe penalties imposed on Monzo.
