The company discovered the bug on Friday, August 2, 2019, and spent all weekend removing PIN numbers from its internal logs.
The issue occurred when Monzo customers used two specific features of their Monzo mobile apps, namely the feature that reminds users of their card number and the feature for cancelling standing orders. When Monzo customers used one of these two features, they would be asked to enter their account PIN, for authorisation purposes, but unknown to them, the PIN would also be logged inside Monzos internal logs.
Monzo said these logs were encrypted and that only a few employees had access to the data stored inside. The company said that all users should update their mobile apps. The company published an update for its mobile app on Saturday, August 3, 2019, so the apps will not send the account PIN code to Monzo servers anymore.
Users who had their PINs recorded in Monzos logs received email notifications. The number of affected users is around 480,000. Users who did not receive an email, were not impacted, the bank said.
Monzo launched in the UK in 2015 and it does not have any branches, as it operates solely via its mobile apps. In June 2019, the company announced plans to launch in the US.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now