A botched software update at Lloyds Banking Group caused a major data exposure incident where up to 447,000 customers briefly saw other users' transaction details in their mobile banking apps.
A botched overnight software update at Lloyds Banking Group has exposed the transaction data of nearly half a million customers, marking one of the UK's most significant banking app failures in recent years. The incident, which occurred on March 12, left up to 447,000 customers briefly seeing other people's financial activity in their mobile banking apps, with Lloyds now compensating affected users and facing scrutiny from regulators.
The scale of the breach emerged through a letter from Jasjyot Singh, Lloyds' CEO of consumer relationships, to the Treasury Committee. According to Singh, the problem was triggered by an IT change pushed overnight between March 11 and 12, which introduced a software defect in the API handling transaction data. Between 03:28 and 08:08 that morning, customers logging into the apps could end up seeing fragments of other people's account activity if they accessed their transaction lists at almost exactly the same moment as another user.
What Data Was Exposed?
The exposure was extensive and potentially invasive. While Lloyds maintains that no one could move money or access accounts directly, users were able to see transaction amounts, dates, and payment references. These references can include personal identifiers that customers enter when making payments. Those who drilled into individual payments could potentially view sort codes, account numbers, and any text entered alongside a transaction.
This means sensitive information such as National Insurance numbers or vehicle registration details could have been exposed if customers had used them as payment references. The bank acknowledged that in some cases, the exposed information related to individuals who weren't even Lloyds customers, such as when payments were made from a Lloyds account to an account holder at another bank.
Scale of the Incident
Out of 21.5 million mobile banking users, 1.67 million logged in during the affected window. Lloyds estimates that as many as 447,936 customers may have been exposed to other people's transaction lists, while up to 114,182 could have seen more detailed payment information. The crossover works both ways: some customers saw other people's transactions, while others had their own details briefly shown to strangers.
Immediate Response and Compensation
Lloyds says the exposure was brief and unlikely to lead to fraud, with no financial losses reported so far. However, the bank has taken several precautionary measures. Customers have been advised to delete any screenshots or notes they may have taken during the incident, and Lloyds says it's monitoring for any signs of misuse.
The bank has already paid out just over £139,000 to around 3,625 customers as goodwill for distress and inconvenience, rather than compensation for losses. Lloyds has stated it will consider further claims if any financial harm emerges from the incident.
Technical Root Cause
The root cause, according to Lloyds, was a flaw in how the updated API handled simultaneous requests. The defect effectively broke the isolation between accounts when two users hit the same function within fractions of a second. This timing-based vulnerability meant that the system's normal safeguards against cross-account data exposure failed under specific conditions.
The bank is now reviewing how this defect slipped past its design, testing, and quality assurance processes. This review will likely examine whether adequate testing for concurrent access scenarios was conducted before the update was deployed.
Regulatory Implications
Lloyds notified regulators on the morning of the incident and followed up with a formal notification to the Information Commissioner's Office (ICO) within the required 72-hour window under UK data protection regulations. The incident raises questions about whether the bank's testing procedures were sufficient and whether the API design adequately protected against such timing-based vulnerabilities.
Under the UK GDPR, organizations can face fines of up to £17.5 million or 4% of annual global turnover for data breaches. While Lloyds has characterized this as a technical glitch rather than a malicious breach, the scale of exposure could still attract regulatory scrutiny.
Industry Context
This incident comes amid growing concerns about the reliability of digital banking services. Several British banks have reported major outages in recent months, highlighting the challenges of maintaining complex banking IT systems. The Treasury Committee's involvement underscores the seriousness with which regulators and lawmakers view such failures.
What This Means for Customers
For the 447,000 potentially affected customers, the incident represents a significant breach of the fundamental trust that underpins banking relationships. The fact that personal financial information was briefly visible to strangers, even without the ability to make transactions, represents a serious privacy violation.
Customers should be aware that while Lloyds says the exposure was brief, any data that was viewed or captured during the window cannot be completely recovered. The bank's advice to delete screenshots and notes is a recognition that some users may have retained copies of other people's financial information.
Looking Forward
The incident highlights the delicate balance between the convenience of mobile banking and the risks of technical failures. As Dame Meg Hillier, chair of the Treasury Committee, noted: "Modern banking methods mean we can now perform a variety of tasks on our phones in a matter of seconds, and almost anywhere. What this incident brings into focus is the fact that there is a trade-off. By moving more interactions with our bank online, we place our faith in technology which can suffer unpredictable errors."
For Lloyds Banking Group, the immediate priority will be ensuring that similar defects cannot occur in future updates. This likely means enhanced testing procedures, particularly around concurrent access scenarios, and potentially more conservative deployment strategies for critical banking functions.
The incident serves as a reminder that even the largest financial institutions remain vulnerable to technical failures that can expose sensitive customer data. As banking continues to shift toward digital channels, the industry must balance innovation and convenience with robust safeguards against such failures.
Comments
Please log in or register to join the discussion