it has been now, I’ve reported it myself.
Banks are not currently legally obliged to tell customers when they log their own data into their own internal-only logs.
As an enterprise software developer of more than a decade, I have no idea what you’re talking about.
Anything a system can get hold of, it can log. You’ve acknowledged what others have said that even a basic cashier at a normal high-street bank can see your PIN number if they want to and somehow you think that’s less of a threat than a few high-privileged software developers being able to?
Part of the problem is that this mistake was allowed to happen in the first place. It points to processes that aren’t robust enough. I’ve said it many times, this type of error just shouldn’t be possible for a bank.
But cashiers and call handlers are logged into the system with their own credentials, and they can only access a customer’s file with permission of that customer, which is then verified by the security details you confirm with that member of staff. The member of staff will have been vetted and checked under FCA rules, and they leave their footprint on your account when they access it and see your sensitive data. So if they were to start using your PIN, or transfer money or anything like that, the bank will know who to go to.
Software engineers can log in, do what they like then clear the logs. I’d trust a cashier over a random software engineer anyday
Surely they would need something else in addition to the PIN? (Like access to the App on the phone etc)
Hi all! I’ve been collating answers to your questions from the relevant staff members.
Concerns about the email / how it’s been communicated
Thanks for everyone who had feedback about how we communicated the issue - we’re taking it seriously. We’ve sent out an email for now, but of course it’s important to us that everyone who’s been affected receives the information. We’re keeping an eye on things to make sure people have seen our message, and we’ll review soon if we need to get in touch with anyone through a different channel.
What’s the risk of not changing my PIN?
If somebody got access to your PIN and wanted to use it, they’d either have to steal your Monzo card, get access to your unlocked phone, or they would need to have access to your email account (to log into the app).
We keep strict records, and after reviewing them, we’re confident your data hasn’t been used for anything inappropriate. But we’re recommending you change your PIN number as a precaution.
If you think you can see anything suspicious on your account, please get in touch with us straight away through in-app chat or by calling the number on the back of your debit card.
As @kolok reported earlier from their conversation with Customer Support, it’s very unlikely that you’ll experience any fraud because of this issue. But if you do, Monzo will cover that loss (unless our investigation finds that you made the transactions or failed to protect your information, which is always the case when we investigate report of fraud).
Has this been communicated to regulators?
We’ve told the ICO, the FCA and the PRA, and told them about our plans to fix the issue immediately and communicate what happened to customers.
How was the issue discovered, and how long had it been going on? How can I know for sure that the issue has been resolved?
One of our security engineers found the issue while working on something else. This has been happening for the last six months – we discovered the issue on Friday 2nd August. The information was stored in records we don’t need to check for other reasons, which meant we didn’t spot the issue sooner.
We’ve checked all the accounts that have been affected by this bug thoroughly, and confirmed the information hasn’t been used to commit fraud. But as you know, we’re also recommending people change their PINs. We know it’s not convenient and we’re sorry about that, but the safety of your account is our priority.
Does this affect personal accounts only, or joint accounts as well?
It’s affected less than a fifth of UK customers across all types of accounts. If you’ve received an email, you should change all your Monzo PIN codes.
What happens if there’s no option to update the app?
This is probably because you’re already on the latest version, which is iOS 2.59.0 and Android 2.59.1.
Why did I receive an email if I haven’t used the two affected features?
We’re sure that these are the only two features affected – so if you received an email, it’s perhaps that you don’t remember using them in the last six months.
The software engineers will also be logged into the system with their own credentials and they likely don’t have any ability to clear said logs.
I’d personally trust 5-10 highly paid professionals who are passionate about the company they’re working for and who already have access to tonnes of your data and have been shown to not abuse it but have accidentally stumbled onto a bit more of it over 10,000 people who earn an average wage and could have taken the job specifically in order to commit fraud. I’d also trust a software engineer to keep their credentials secure over someone outside of IT. It wouldn’t surprise me at all if half of the people in a bank branch knew each other’s credentials and even had to often login as each other to get round limitations in their systems.
I can assure you that this sort of thing happens quite regularly at regular high-street banks and probably wouldn’t even bother being flagged up in the first place. I know quite a few people who have contracted with UK banks and some of the stories they tell…
The breach allowed to see private messages exchange between customer and the bank. That issue has been reported with the ICO and is now fixed with the bank.
A cashier is not a risk factor as they can’t do anything with the PIN. If you say they can clone the card data and then use the PIN I’ll wet my trousers laughing
As for logging, I disagree since Monzo clearly admitted to logging sensitive production data rendering the encryption useless. There is no reason to log the PIN using encryption known to individuals as that makes the encryption useless.
They can clone the card data and then use the PIN
Although knowledge of someone’s PIN could be enough to trick them into doing or disclosing something else.
And I presume Monzo engineers are able to change the email address associated with an account, which means they wouldn’t actually need access to my email account.
Still, I agree, it’s a low risk data breach
Which email? The one that tells you “We’ve fixed an issue that meant we weren’t storing some customers’ PINs correctly.” or one that says “you’ve been affected”? I’ve received AN email with the subject ‘Please update your app and change your PIN’ which directs me to this blog. So, are some customers not being told about this at all because Monzo believe they weren’t affected? The whole thing is very confusing.
Hope you’re happy now.
Social engineering is the most likely fraud vector for anyone who works for a bank to defraud someone (and plausibly get away with it)
Monzo users are far too quick to accept issues as “it’s OK, they are the good guys”. A word springs to mind here but using it will end up getting the post blocked.
So is copy and paste if the data is just sitting there
You missed the point in the email where the logs are encrypted.
Your posts you have demonstrated little knowledge of the problem, system logging is standard practice, it appears in this instance sensitive data was logged to encrypted logs which they have said shouldn’t have been.
The data has been removed and the code which logged this data been removed.
I take comfort that the logs stuff, if they didn’t how would the investigate and detect suitably that fraudulent activity was happening on the accounts.
I think Monzo’s approach has been perfect, they admitted there was a problem, not fluffed things, come clean with customers and regulators, as been stated here, there is no obligation for them to do so legally as was internal situation.
I am certain that all their staff are vetted and pass security checks, and all access to records are logged.
Yes, it happened, it shouldn’t but response has been A*
They were obviously decrypted for them to see the issue. It’s not encrypted to a point they can’t access it. What are you defending…?
Sensitive card data is not standard practice Daniel! You never troubleshoot with live data, that’s why full encryption is used. If someone can decrypt it, then it defeats the whole point. Vetting has nothing to do with it.
To be fair this is speculation, they engineer that found the issue may have just found the code that caused the issue first and found it that way rather than finding the data in the logs first. Either way though I presume it is indeed decrypt-able or else there wouldn’t have been an issue (I presume).