Out of interest, from the list in ICO’s definition (destruction, loss, alteration, unauthorised disclosure of, or access to, personal data), which are you suggesting took place here?
I fully accept there could be an account somewhere that I’m missing - but as far as I can tell from what Monzo have said, the data was not disclosed to anyone and - from Simon VC’s tweet above, the logs were never viewed so it’s not accidental access.
I think this situation could be characterised as a having the potential to become a security breach by the ICO’s definition – but Monzo noticed and intervened before it did.
The PIN - information that needed to be secured - was written to log files accessible by people who weren’t authorised to access that information. The confidentiality wasn’t maintained. Surely if there was no risk to the confidentiality of the data there would be no need for anyone to change their PIN? Yet that is what Monzo have advised and, in messages to some customers, have indicated that failure to do so would make the customer liable for any card fraud in the future.
Yes - and until it’s accessed by someone who wasn’t authorised to see that data, it’s not a breach by the ICO definition quoted. It absolutely had the capacity to become one and what I’m saying doesn’t do anything to minimise the potential adverse outcome, but there’s a difference between a “near miss” and a breach. Lessons should absolutely be learned.
Monzo have taken the cautious approach here – as you would hope anyone else handling sensitive data and money would do – and recommended people change their PIN “as a precaution” despite no indication of access to the log files.
It’s important to note that Monzo are not requiring people to change their PIN – which is the course of action you would reasonably expect if they had any information to indicate that there was a likely or even probable risk to the confidentiality of the data rather than a possible or unlikely risk.
“Engineers at Monzo have access to these log files as part of their job.”
That’s taken from the email sent to affected customers.
Also, if you read further up the thread, at least one customer has been told by a Monzo staff member that failure to change their PIN would maker them liable for any future fraudulent transactions.
I stand by what I posted - the confidentiality has not been maintained.
There is an important difference between having access to and accessing.
For example, COps reasonably have access to customer address information [so that they can do ID verification, change of address etc.] but if someone accessed that information without a valid reason to do so, then that would be a breach.
Obviously, these two situations aren’t entirely analogous – but the important correlation as far as it being a breach under law (your allegation above) is the actual accessing of data.
The message from Monzo staff members has been that Monzo is not taking responsibility for all future PIN-present fraudulent transactions and that they would have to investigate as they do in all cases of alleged fraud. By changing your PIN, you are removing all risk from this incident – Monzo are leaving this choice to individuals affected (of which I am one, I received the email and know that I used one of the two affected features).
You are making really serious allegations in this thread, including ones which, if based in fact, could see severe penalties imposed on Monzo.
Just to help me understand, if someone at a company, who was authorised to do so for a specific reason, printed off a load of personal data concerning its customers, and then left the file on the train, but no one on the train looked at the file, would that be a breach?
Yes - because that would meet the ICO’s definition that danmullen quoted above - that would be a “loss” of data as there is no longer any level of control over the data by the data owner.
The data here was stored in encrypted log files on Monzo’s own systems that were discovered by a security engineer.
Ultimately given that Monzo have referred themselves to the ICO (as well as the FCA and PRA), they will be able to determine whether they feel that any redress is necessary.
That was me, and I still haven’t had a definitive answer, having been told several times I would not be liable and once that I would be. I’m busy this weekend but will be chasing again with them on Monday.
No I’m not, what allegations have I made? Monzo have alerted customers and self-reported due to this breach. They themselves think it was a serious enough incident to warrant that.
As I said earlier, they’ve handled it well since becoming aware and I hope the ICO doesn’t impose any sort of fine. I doubt they will. The risk to the rights and freedoms of the data subjects is minimal.
Thanks, I couldn’t remember who it was that posted about this! Monzo should make an official statement on it. I suspect the person that told you you would be liable gave out wrong information.
Monzo have not, at any point, said that it was a breach. That is an allegation. There is, as you quoted above, a definition set our for what a breach is, as it carries penalties. Monzo reported themselves to the ICO in the interests of transparency (and because it was the right thing to do and I hope that most organisations would do the same in the same circumstances). The act of reporting does not mean they consider there to have been a breach.
I just want to make it clear that I acknowledge this, the only thing I take issue with is the suggestion that it is a breach (a claim made in the advert in the original post and repeated by you above).
@bea - in the original community thread - made the following statement (which I quoted above).
I feel this is the right time for me to bow out of this thread – “breach” has a specific definition as quoted above, I have yet to see anything that indicates that this incident meets the definition of a breach, Simon VC’s tweet above suggests that Monzo don’t believe it meets the definition either. As Monzo have voluntarily referred themselves to the ICO, they can make the final determination.
I haven’t actually read definitively that no unauthorised people have accessed the log files. I’ve read that no-one outside the bank has accessed the information, which is different.
Along with this comment from Monzo…
“ Engineers at Monzo have access to these log files as part of their job. ”
…it certainly sounds like they have been accessed. I’d be delighted for Monzo to come out and categorically state that the files were not accessed during the six month period in question.
Just because someone has the ability to do something, doesn’t mean they have done it. The sentence you’ve quoted just explains the PIN issue, it definitely doesn’t say that someone accessed and copied or used the PINs.
I mentioned this in a post on the the other main thread. The lack of definitive definitions and oversight on the PR etc of the incident is leading to stuff like Hayes Connor.
Given that we are signing up more users than ever before, our NPS remains incredibly high, and anyone who spends any time at all working on our social media can see the huge amount of delighted customer comments we continue to receive on a daily basis, I think it’s fairly obvious that the answer to this question is no.
But of course, we all knew that, and we also all know that using our company name in any way, shape, or form is a guaranteed way to get a bit of attention these days. A certain bus advert about “moving over” springs to mind.
One could probably make a fairly decent living as a freelance business consultant these days by going around the country, meeting with businesses and saying “Find some way to reference Monzo in an advert or blog post”.
It really is at the point now where people want to find an angle for anything we do. The irony is that it probably does more for us than it does for them by reinforcing us as something worth talking about.
It’s funny how journalists etc all want to find a story that scare the general public.
The recent outage drew a flurry of articles (click bait?) which largely repeated the information Monzo yourselves had transparently made available and used it to paint a negative picture of Monzo and the small percentage of disgruntled customers.
However, no media, so far has reacted at all to the latest Monzo blog post with its incredibly detailed account of what happened, what Monzo has learned from it and the actions you’ll take to minimise the likelihood of it happening again.
We should all take what the press (and others trying to cash in on Monzo’s success) say with a large pinch of salt.
As someone who has used hays Connor as a customer, in my opinion there not the best, they regularly ignore messages & emails, the best part is they missed the obvious (yup there’s a NDA with the third party here) they (HC) dropped my case citing lack of evidence without costing me a penny and the third party contacted me to say we screwed up, we broke GDPR we admitted it to your solicitor (hays Connor) but they missed it, third party wrote me a cheque and we both laughed about their (HC’s) lack of common sense.