Monzo customer? Check if you need to change your PIN after security error
Around 480,000 Monzo users need to update their app and change their PIN, after numbers were stored in files in a part of the bank's internal systems that could be accessed by some of its staff.
The app-based bank says that it stores PINs in a particularly secure part of its systems, and tightly controls who at Monzo can access them, but last Friday it discovered it had also been recording some people's PINs in a different part of its internal systems which its engineers have access to. There's no suggestion anyone internally accessed the data, but it's poor practice that they could have.
Monzo estimates the problem has affected fewer than a fifth of its customers, and says it has emailed those who have been affected to let them know they should change their PIN by going to a cash machine.
It says if you haven't been emailed, you haven't been affected – so you don't need to change your PIN. But it is asking all of its customers to update their app to iOS 2.59.0 or Android 2.59.1 by going to the Apple Store or Play Store, as it has released updates after finding the problem.
Monzo says it has now deleted the information, and nobody outside Monzo had access to it.
I've been affected – what should I do?
If you've been contacted by Monzo, you need to change your PIN.
You can do this by putting your Monzo card into a cash machine that offers PIN services, entering your old PIN and choosing 'PIN services'. Then choose 'Select a new PIN' and change it to a new number.
To find your nearest ATM offering these services, you can use Link's ATM-finder tool. It's available both online and as an app, which is free to download on iOS and Android devices. Here's how to use it:
- To find your nearest ATM or Post Office, simply search for a postcode or location, or use your current location on the app (to do this you may need to enable location permissions in your settings).
Select a filter to make sure you're shown Post Office branches as well as ATMs.
- Check which ATMs offer PIN services. You'll be shown an interactive map marking the nearest cashpoints and Post Offices.
You can click on an individual ATM, either on the list or the map, to get extra info about its functionality – for example, if it dispenses £5 notes or lets you manage your PIN. You can also use filters, to ensure only ATMs offering PIN services are shown.
On Monzo's blog on the issue, it says: "We've checked all the accounts that have been affected by this bug thoroughly, and confirmed the information hasn't been used to commit fraud."
But you should keep a close eye on your account, and if you notice anything strange contact Monzo straight away through in-app chat or by ringing the phone number on your debit card.
What does Monzo say?
Monzo chief executive Tom Blomfield said: "We've fixed a problem that meant we'd been recording some people's PINs in a different part of our internal systems (in encrypted log files). Engineers at Monzo have access to these log files as part of their job. The information wasn't available to anyone who isn't a Monzo employee.
"We've deleted the data and done a full review of our systems and are confident this information hasn't been accessed or used in a fraudulent way. We've contacted everyone affected by the issue to let them know that they should update their app and change their PIN."