Banking
start-up Monzo has sent out emails to half a million customers after its
engineers caught a glimpse of the PIN numbers associated with their cards.

The British banking service, which serves 2.5 million customers, recently secured a new round of funding and is about to launch in the United States. It was going fine until the company somehow failed to secure PIN numbers for customers’ cards and accidentally exposed them to its staff. One in five of those customers is now receiving the following notification:

“On Friday
2nd August, we discovered that we’d also been recording some people’s PINs in a
different part of our internal systems (in encrypted log files). Engineers at
Monzo have access to these log files as part of their job.”

Monzo
assures customers that it took steps to rectify the situation as soon as it
discovered the bug that caused it. It also claims no one outside the company
had access to the PINs, and that the information hasn’t been used to commit
fraud.

“Just in
case, we’ve messaged everyone that’s been affected to let them know they should
change their PIN by going to a cash machine,” reads the notice.

If that
includes you, it’s highly recommended that you follow Monzo’s advice. If you
haven’t received the email, you’re not affected. However, the company still
wants you to make sure the Monzo app is up to date on your iOS or Android
device. This has nothing to do with the PIN-leaking bug. Rather, it just
ensures things run smoothly with the service.

A few
disgruntled customers writing on the company’s community forum believe they shouldn’t have to take
any action, this being Monzo’s blunder, not theirs.

“This is not
good. I don’t want to change my PIN because someone at Monzo has made a mistake,”
a user identified as Drew58 wrote. “I’ve kept my side of keeping things safe
doesn’t sound like Monzo have. I’m sure a few will disagree but I’m not the one
who has done anything incorrect here.”

Drew is
right in that it was Monzo’s fault to begin with. However, now that customers
are armed with this information, they’d be negligent to postpone changing their
PIN number. The situation in no way differs from having your password leaked in
a data breach, with the service operators urging you to change your password
because hackers now have it. Sometimes, bad things just happen. Of course, that
doesn’t exonerate Monzo. Their security practices were lax and they should have
known better than to misuse customer data like that, especially with today’s
harsh data privacy laws.