Lloyds Banking Group exposed the personal data of nearly 500,000 customers in an IT glitch that left people’s payments, account details and national insurance numbers visible to other users, a committee of MPs has revealed.
A letter from Lloyds, published by MPs on the Treasury select committee on Friday, blamed the glitch on a software defect introduced during an IT update to its Lloyds, Halifax and Bank of Scotland mobile banking apps overnight into 12 March.
The bank explained that customers would have had to be looking at their app within “small fractions of a second” of other users in order to access their details.
However, it still meant up to 447,936 customers were potentially able to view private information of other users, with Lloyds adding that about 114,182 people ended up clicking into transactions that revealed account details, national insurance numbers or payment references.
Even people who were not Lloyds Banking Group customers may have had their transaction details exposed, the bank said.
The bank said it reported itself to the City regulator, the Financial Conduct Authority, on the morning of 12 March, and notified the Information Commissioner’s Office within the 72 hours as required.
Jasjyot Singh, the Lloyds chief executive of consumer relationships, said the bank was now asking any customers who may have recorded, taken screenshots or posted information about other users to delete the information. “There is currently no evidence of misuse or malicious activity as a result of the incident through our fraud and cyber monitoring process,” he said. However, he assured the bank would “continue to monitor [potential fraud] closely”.
Lloyds has so far paid £139,000 to compensate 3,625 customers for distress and inconvenience. However, it said no customers had suffered any financial losses as a result of the IT failure.
The IT glitch is the latest to throw up questions about customer protections at a time when banks are continuing to close branches and push more users into digital banking and payments. It comes as long-established UK financial institutions such as Lloyds rush to compete with the boom in online-only banks ranging from digital challengers such as Monzo and Revolut to the British arms of foreign rivals, including JP Morgan’s Chase UK.
The number of UK bank branches fell sharply from roughly 10,565 to 6,870 in the decade to 2024, according to the Office for National Statistics.
Commenting on Lloyds’ letter, Meg Hillier, the Treasury committee chair and Labour MP, said: “Modern banking methods mean we can now perform a variety of tasks on our phones in a matter of seconds, and almost anywhere. What this incident brings into focus is the fact that there is a trade-off. By moving more interactions with our bank online, we place our faith in technology which can suffer unpredictable errors. It’s critical that consumers understand this.”
Singh said: “Our priority now is to complete our full analysis, continue to engage with our customers, and ensure that we address our responsibilities towards them in full. We will also seek to learn any lessons and update our processes as a result of this incident.”
Lloyds will provide further updates to the committee about the fallout from the IT glitch in April and September.
Facts Only
Actor: Lloyds Banking Group, UK Financial Conduct Authority, Information Commissioner's Office
Event: IT glitch exposing personal data of nearly 500,000 customers on March 12th
Location: Mobile banking apps for Lloyds, Halifax, and Bank of Scotland
Impact: Potential exposure of payments, account details, national insurance numbers; compensation paid to 3,625 customers
Executive Summary
Full Take
This incident raises questions about data security and privacy in the rapidly digitizing banking sector. The error occurred during an IT update, highlighting potential vulnerabilities as banks move towards more online-only services. The number of UK bank branches has significantly decreased over the past decade, making digital platforms crucial for customer interaction. The glitch may also bring into question the readiness of long-established institutions like Lloyds to compete with newer digital challengers such as Monzo and Revolut.
Patterns detected: ARC-0024 Ambiguity (the bank clarified that users would need to be viewing transactions at specific moments to access private information, but the potential for data exposure is still significant)
Root Cause: The incident stems from the increased reliance on technology in banking and the challenges of ensuring security during updates. It also reflects the push towards digitalization in the face of declining branch numbers.
Implications: This event underscores the importance of prioritizing data security and privacy, especially as customers' financial information becomes increasingly vulnerable in a digital age. Banks must balance the convenience of online services with robust protections against breaches.
Bridge Questions: How can banks ensure customer data remains secure during updates? What measures can be taken to prevent similar incidents in the future? How should customers respond when faced with potential data leaks from their financial institutions?
Sentinel — Human
The text shows signs of human authorship, with variable sentence lengths and a personal voice that is not commonly found in AI-generated content. However, it is still important to remain cautious as the text could have been edited or influenced by AI tools.
