Lloyds Banking Group’s response to a request from the UK government’s Treasury Committee shows that a programming error was the root cause of a breach that exposed details of more than 114,000 mobile banking customers.
The bank said it has made goodwill payments totalling just over £139,000 to around 3,625 customers as of 23 March. It said it also submitted a formal notification to the Information Commissioner’s Office within 72 hours after the breach, in line with statutory timelines.
As Computer Weekly has previously reported, on the morning of 12 March, a fault in the Lloyds banking app enabled some customers to see the transactions of other customers. Customers of the group’s Halifax, Bank of Scotland and Lloyds Bank apps were affected by the security breach.
While the bank resolved the breach quickly, Meg Hillier, chair of the Treasury Committee, sent an email to Lloyds Banking Group’s group CEO, Charles Nunn, with the subject line “Improper disclosure of individuals’ account information”. In the email, Hillier described the incident as “an alarming breach of data confidentiality.”
The information she requested from the bank’s boss included details of the breach, how many customers were affected, whether customers could be identified and what steps Lloyds Banking Group has taken to encourage those who may have taken copies of data – of which they were not entitled – to delete those copies.
Jasjyot Singh, CEO of consumer relationships at Lloyds Banking Group, has now responded to the Treasury Committee’s questions. Singh stated that the incident was caused by an IT change made overnight between 11 and 12 March which introduced a software defect.
“The defect meant that when a customer requested to view their current account transactions, their transaction data was potentially visible to other customers who were simultaneously – within small fractions of a second – requesting access to their own transactions,” Singh said.
The bank has now established that the defect was in the design of the code used to update the application programming interface (API) used by the app. Singh said the bank is reviewing why this individual defect was not detected by its design, quality assurance and testing processes.
According to Singh, a maximum of 447,936 customers who viewed their transaction list during the affected time period may have been presented with other people’s transactions or may have had some of their transactions presented on another customer’s transaction list. The bank has estimated that 114,182 customers clicked through to view the detail behind individual current account transactions during that time and may have been presented with information about individual payments.
Singh assured the Treasury Committee that the bank’s fraud and cyber monitoring processes has seen no evidence of misuse or malicious activity as a result of the incident. “Based on our assessment of this incident, we have not identified evidence that customers have suffered financial loss, and no customer has reported a financial loss arising from the incident at this stage. Accordingly, we have not made compensation payments on this basis,” he stated in the letter.