Hi all! I’ve been collating answers to your questions from the relevant staff members.
Concerns about the email / how it’s been communicated
Thanks for everyone who had feedback about how we communicated the issue - we’re taking it seriously. We’ve sent out an email for now, but of course it’s important to us that everyone who’s been affected receives the information. We’re keeping an eye on things to make sure people have seen our message, and we’ll review soon if we need to get in touch with anyone through a different channel.
What’s the risk of not changing my PIN?
If somebody got access to your PIN and wanted to use it, they’d either have to steal your Monzo card, get access to your unlocked phone, or they would need to have access to your email account (to log into the app).
We keep strict records, and after reviewing them, we’re confident your data hasn’t been used for anything inappropriate. But we’re recommending you change your PIN number as a precaution.
If you think you can see anything suspicious on your account, please get in touch with us straight away through in-app chat or by calling the number on the back of your debit card.
As @kolok reported earlier from their conversation with Customer Support, it’s very unlikely that you’ll experience any fraud because of this issue. But if you do, Monzo will cover that loss (unless our investigation finds that you made the transactions or failed to protect your information, which is always the case when we investigate report of fraud).
Has this been communicated to regulators?
We’ve told the ICO, the FCA and the PRA, and told them about our plans to fix the issue immediately and communicate what happened to customers.
How was the issue discovered, and how long had it been going on? How can I know for sure that the issue has been resolved?
One of our security engineers found the issue while working on something else. This has been happening for the last six months – we discovered the issue on Friday 2nd August. The information was stored in records we don’t need to check for other reasons, which meant we didn’t spot the issue sooner.
We’ve checked all the accounts that have been affected by this bug thoroughly, and confirmed the information hasn’t been used to commit fraud. But as you know, we’re also recommending people change their PINs. We know it’s not convenient and we’re sorry about that, but the safety of your account is our priority.
Does this affect personal accounts only, or joint accounts as well?
It’s affected less than a fifth of UK customers across all types of accounts. If you’ve received an email, you should change all your Monzo PIN codes.
What happens if there’s no option to update the app?
This is probably because you’re already on the latest version, which is iOS 2.59.0 and Android 2.59.1.
Why did I receive an email if I haven’t used the two affected features?
We’re sure that these are the only two features affected – so if you received an email, it’s perhaps that you don’t remember using them in the last six months.