Monzo security glitch exposes customers’ PINs to engineers

• Monzo determined that some customers’ PINs were stored in encrypted log files of their internal systems that were accessible by engineers.
• Upon discovering the security glitch, Monzo made the immediate changes to close the exposure and disable access to the engineers.

What is the issue?

Digital-only bank platform, Monzo has requested around 480,000 customers to change their PINs as their PINs were stored incorrectly.

The big picture

Monzo usually stores customers PINs in a secure part of their systems, however, on August 02, 2019, they determined that some customers’ PINs were stored in encrypted log files of their internal systems. These log files were accessible by Monzo engineers.

Upon discovering the security glitch, Monzo made the immediate changes to close the exposure and disable access to the engineers. The bank officials also deleted all the information that was stored incorrectly, over the weekend.

“By 5:25am on Saturday morning, we had released updates to the Monzo apps. Over the weekend, we then worked to delete the information that we’d stored incorrectly, which we finished on Monday morning,” Monzo said.

What should you do?

• If you’re a Monzo customer, then you need to update your Monzo apps for Android and iOS to the latest versions, 2.59.0 for iOS and 2.59.1 for Android.
• Impacted customers should head to a cash machine to change their PIN to a new number.
• If anyone notices any suspicious activity on their Monzo accounts, they should immediately report to their bank.

What was the response?

Monzo thoroughly reviewed all the impacted accounts and confirmed the no information has been exposed outside and that the compromised information hasn’t been used to commit any fraud.

“No information's been exposed outside Monzo, and this data hasn’t been used for fraud. You should update your app, and we're emailing everyone that’s been affected to let them know they should change their PIN as a precaution,” Monzo tweeted.

“The issue affected less than a fifth of UK Monzo customers. If we’ve contacted you to tell you that you’ve been affected, you should head to a cash machine to change your PIN to a new number as a precaution. You can do this by putting your Monzo card into the cash machine, entering your old PIN and choosing ‘PIN services’. Then choose ‘Select a new PIN’ and change it to a new number,” Monzo said in a blog.