Mobile-Only Bank Monzo Warns 480,000 Customers to Reset PINsSoftware Bug Meant Some Numbers Were Stored Unencrypted
Monzo, a mobile-only, start-up bank based in the U.K. that plans to expand into the U.S., issued a warning to about 480,000 of its customers this week to reset their PINs after the company's security team found a software bug allowed some PINs to be stored unencrypted in plaintext.
The bank's security team found the unsecured customer PINs stored in internal systems on Friday, according to a blog Monzo posted on Monday. The unsecured PINs were deleted, and notice was sent out to about 480,000 customers to rest their numbers as soon as possible, according to a report in the Guardian.
Monzo reports that PINs are supposed to be encrypted and stored in the bank's internal systems with limited access, but because a bug allowed the PINs to be stored in plaintext, more employees could have accessed them. The software bug has since been fixed, the company reports.
"If we've contacted you to tell you that you've been affected, you should head to a cash machine to change your PIN to a new number as a precaution," according to the company’s blog.
So far, Monzo's investigation hasn't turned up any cases of fraud stemming from the unsecured PINs, and no one from outside the bank apparently accessed the data, according to the bank's statement.
A spokesperson for the company did not immediately reply to Information Security Media Group’s request for comment.
The Guardian reports, however, that this security vulnerability has persisted for at least the last six months, and that the incident has been referred to the U.K. Information Commissioner’s Office, which is Britain's watchdog agency for consumer privacy issues.
Different Spin on Banking
Monzo is a fast-growing U.K. fintech start-up that hopes to make inroads in the U.S., according to a profile in TechCrunch. The mobile-first bank has about 2 million customers in Britain. It has about £324 million ($393 million) in venture capital funding and has an estimated value of $2 billion, according to CrunchBase.
In the U.S., the company plans to offer a banking app for its mobile customers that is connected to a Mastercard debit card, Tech Crunch reports.
The mobile-first approach to banking, however, meant that when the PINs were discovered stored in plaintext on Friday, Monzo needed to alert its customers to update their apps, both on Android and iOS devices.
Other Password Exposure Incidents
In recent months, there have been reports that several other companies were storing passwords and other user data in unencrypted or plaintext forms.
For example, in March, Facebook stirred up controversy when an internal security flaw led to the social media giant storing users’ passwords in plaintext that could be accessed by its employees through a search tool (see: Report: Facebook Stored Millions of Passwords in Plaintext).
The issue was brought to Facebook's notice when security blogger Brian Kerbs reported the issue on March 21. According to the report, between 200 million and 600 million Facebook users' passwords were stored in an unencrypted format, with some of the data dating to 2012.
Facebook said the issue was first discovered in January and was corrected without any case of a password being leaked.
In May 2018, Twitter discovered a bug in its hashing process, which prevented the encryption of its users' passwords. That meant passwords were stored in plaintext to an internal log. Twitter said it sent a notice to 330 million users instructing them to reset their passwords.
In a similar case, GitHub reported a bug in its internal system that resulted in the software code hosting website storing its users' passwords in plaintext.