Calling it a bug, mobile-only bank Monzo logged PINs inside encrypted internal logs under certain conditions.
When Monzo customers used two specific app features:
- A feature that reminds users of their card number
- A feature to cancel standing orders
Customers would be asked to authenticate using their account PIN. However, the PIN were logged inside the company’s internal logs. Though encrypted, a “few employees” did have access to the data stored within. Monzo discovered the bug on August 2 and removed all PINs from its logs over the weekend and published a statement today.
Monzo routinely stores user PINs so it can check if a customer has entered it correctly. But they weren’t supposed to be stored within log files. The company says to update the app as soon as possible. Affected customers will be emailed.