Monzo, one of the UK’s leading challenger banks, has advised almost half a million customers to change their personal identification number after uncovering a potential security flaw.

The digital bank, valued at £2bn, said it had incorrectly stored around 480,000 customer pins where they could be accessed by internal engineers.

Monzo said it had checked all of the accounts affected by the error and “confirmed the information hasn’t been used to commit fraud”.

The bank referred the mishandling of customer data to the Information Commissioner’s Office, the UK data regulator, after discovering the problem last Friday.

The ICO said: “We are aware of an incident involving Monzo and we will be assessing the matter.”

In its statement to customers, Monzo said that it stored pins in a secure part of its system. But it said it had discovered it had also been storing them in a different place, in files that were encrypted but could be decrypted and accessed by its engineers.

“We’ve deleted the information we stored in this way,” the company said. “As soon as we discovered the bug, we immediately made changes to make sure the information wasn’t accessible to anyone in Monzo.”

The company advised anyone affected to update their phone app and change their pin by visiting a cash machine, adding: “We’re really sorry about this.”

“If you think you see anything unusual on your account, please get in touch with us straight away through in-app chat or by ringing the phone number on your debit card.”

The Financial Conduct Authority said it was “aware of the issue” but declined to comment further.

The incident comes weeks after Monzo raised £113m in a round led by Y Combinator Continuity, the Silicon Valley accelerator that helped launch Dropbox and Airbnb.

Monzo said it would use the cash to support its growth in the US, where it launched last month, and to develop new products to move it closer to sustainability.

Get alerts on Monzo Bank Ltd when a new story is published

Copyright The Financial Times Limited 2019. All rights reserved.
Reuse this content (opens in new window)

Follow the topics in this article