Mobile-only bank Mozo has apologised for a gaffe which left the PINs of a subset of its customers exposed to its internal engineers.
The company says that on Friday 2 August it discovered that some users’ PINs had been stored in an internal system in encrypted log files, and these log files were accessible to Monzo engineers.
According to the digital bank, around a fifth of Monzo’s UK customers had their PIN stored for up to six months in the log files after they made a request via the app to be reminded of their card number, or cancel a standing order.
By 5:25am the following morning, Monzo had released updates to its iOS and Android apps fixing the issue, and by Monday morning had permanently deleted the incorrectly stored data.
Although there’s undoubtedly concern that a breach like this could have occurred, some credit has to be given to Monzo for addressing the issue so rapidly and its transparency in informing customers about the problem.
By now many customers will already have updated their smartphone’s Monzo app, and affected users should have received an email notification regarding the issue.
Although some users have mentioned that an in-app notification might have reassured them that the email wasn’t fraudulent, I get the impression that Monzo is trying hard to fix a problem here and be seen to taking the incident seriously. That’s at odds with how many companies respond to a breach, where they wring their hands claiming they “take security seriously” but don’t leave the impression that lasting lessons have been learnt.
What’s important ..
Support the originator by clicking the read the rest link below.
