Receipts security issue

New to the forum because I thought this needed to be shared.

Photos of receipts are currently being stored insecurely.

You can test this yourself. Go to Account > Settings > Statement History

Then download a month (in which you have saved a receipt photo) in .csv format.

Open that file in excel and there is a receipt column containing links.

These links can be opened in any browser without logging in. They are your photographs, containing your private data.

It has to be said that these urls contain random strings, so you can’t simply guess links to other peoples’ receipts, but it’s not beyond a bot to trawl through and collect information on every monzo user who uploads their receipts.

1 Like

As the next post in that thread states:

1 Like

I throw my receipts in the bin :joy:


Just use a joint account. It fails to save any receipts correctly. Security issue resolved


My main concern is it puts your receipts at the same level of security as your browser history.

In principal my data should not be accessible without a login. Thankfully I’ve only bothered to save a receipt once or twice.

It’s not a simple case of many bits make it secure. This is like storing passwords in plain text in complex hidden folders.

The main vulnerability is if AWS have a security issue, they only need to see that folder and they get everyones’ receipts.

Financial and personal data needs to be encrypted, not just hidden. This is not adequate security for a bank. They’re relying on another organisations security to be safe. It would not be difficult to secure users data properly.


I suppose the privacy issue is if someone you don’t want to have access has the URL - and you can’t deny them permissions. But in those circumstances I’m assuming that deleting the receipt then reuploading it would fix it?

I’ll test and see if deleting a receipt removes it…

1 Like

Deleting a receipt does not remove the image online immediately. I’ll report back to see if it gets removed eventually.

1 Like

It won’t*, but it gets lost in obscurity. The old thread included an attachment image I deleted and that’s still up.

Personally I still feel like that’s skirting the edges of responsibility, but given I don’t use receipts, the data is low risk and access is essentially removed unless the URL was guessed or internally accessed… meh.

.* 11 months and counting, but they may purge eventually

Again, the URL is multiple trillions of combinations long - and this is a paper receipt.

What is the security problem of someone seeing a receipt? I keep mine on the fridge so :woman_shrugging:


In the scenario that someone has accessed your browser history, obscurity is not a defence. The url is already known.

It’s also a way someone can access data without being it being logged or the user knowing.

The data is not low risk if someone uses the feature. The receipt I’ve just deleted includes purchase history, price, location, time, signature. name, and signature.

In the event someone’s photographed an invoice it would include your home address.

The feature isn’t fit for purpose if it is not encrypted. Encrypted cloud storage is trivial to set up these days, there’s no excuse for a bank to do anything less responsible than that.


Yes, this does sound suboptimal.

What I’d like to see Monzo do in the future is have a granular permissions system, both for API access, but also for sharing (share a link with a transaction viewable on a browser etc) but under total user control.

I’ll file that in “nice to have in the future” and “user needs not wants”… :smiley:


Whilst I understand concerns around this, it is pretty standard industry practise to simply hide images and documents behind impossible-to-guess randoms URLs when they’re being stored on CDNs (such as AWS S3).


I’m pretty certain GDPR rules would prohibit that practice for personal data now.

For one thing, requests to delete data must be complied with. In this case it’s not data relevant to their operation as a bank.

I’m not the litigious type, but if my receipt continues to remain viewable after 28 days I’m pretty sure they’re in breach.

If they’ve deleted the link to and are unable to locate the photo themselves, as I requested it deleted. They’d also be in breach if I made a subject access request under GDPR and they did not supply it. So long as I could prove it’s still on their AWS server, they still have it.

These days personally identifiable data needs more careful handling. Receipts often fall into this category.

1 Like

GDPR doesn’t give a timescale for deletion, just that the data controller must comply to an erasure request “without undue delay".

Monzo may also have a legal reason to keep certain data so does not have to comply with such requests straight away.

Data might not have to be erased if any of the following apply:

  • The “right of freedom and expression”
  • The need to adhere to legal compliance, e.g. a bank keeping data for 7 years.
  • Reasons of public interest in the area of public health
  • Scientific, historical research or public interest archiving purposes
  • For supporting legal claims, e.g. PPI offerings.

I don’t see any of these fitting the bill (no pun intended) of the bank hanging onto receipt images.

If they do then Monzo should state this is the case

1 Like

It kinda depends on the tech. If you ask for transactional data held in an easily accessible database to be deleted then, all other things being equal, it should/can be immediately. Things like backups are often seen as problematic, but the common interpretation seems to be that waiting for the data to fall off the backup cycle (e.g. If backups last 7 days) that would be a reasonable amount of time you wait, as long as they’re not being actively restored / accessed during that time. For long period backups, bets are probably off!

Specific to the Monzo images question, it would take a court to determine whether tapping to delete a photo of a receipt in the app is a delete request under GDPR. My instinct is that it isn’t, but IANAL.

If anyone really did want them deleted under GDPR, I’d suggest asking in-app support. I think a few days is reasonable to triage (they’ve probably not seen it before), pass to the right engineer then actually delete the image.

1 Like

Sometimes gifs confuse me. :man_shrugging: