Lloyds app flaw rattles trust in digital banking

Lloyds Banking Group has disclosed that an IT defect exposed the personal data of up to 447,936 customers after a faulty overnight software update allowed some mobile app users to see other people’s current-account transactions. The incident, which affected the Lloyds, Halifax and Bank of Scotland apps on 12 March, has intensified scrutiny of operational resilience at major lenders as more banking activity shifts to digital channels.

The bank told the UK Treasury Committee that the problem ran between 03:28 and 08:08 on 12 March, after an update introduced what it described as a software defect in code used to refresh the application programming interface, or API, for its mobile apps. Lloyds said internet banking was not affected, customer balances were unchanged, and users could not move money or take unauthorised action on another person’s account.

According to the bank’s letter to MPs, 1.67 million customers logged into its mobile apps while the issue was live. Lloyds said a maximum of 447,936 customers may have been shown other people’s transactions or had some of their own transactions shown to others at “level 1”, meaning the transaction-list screen. It added that 114,182 customers clicked through to individual payments, where more detailed information could have been visible.

The data that could be exposed went beyond basic transaction lines. Lloyds said affected users may have been able to see payment amounts, transaction dates and payment identifiers, including details entered by senders. In some cases, those references could contain National Insurance numbers, vehicle registration numbers or free-text descriptions. At a deeper level, users could also have seen sort codes and account numbers tied to certain payments, including some transactions involving people who were not Lloyds customers.

Lloyds has said the breach occurred only when customers accessed their transaction lists within fractions of a second of one another, a detail the bank has used to argue that the risk of wider misuse was low. It told the committee that it had found no evidence of fraud resulting from the incident and that no customer had reported financial loss at this stage. Even so, the episode is awkward for a lender that has invested heavily in digital delivery while the wider UK banking sector continues to reduce branch networks and steer more customers towards apps and online services.

The chronology set out by the bank shows how quickly the issue escalated. Lloyds said customer reports triggered investigations from 06:20, the defect was resolved by 08:08, and social-media responses began minutes later. By 16 March, the group had pinned a public message stating that a limited number of app users may have briefly seen transactions that were not theirs because of an internal IT change. Customers who may have viewed other people’s data, or had their own details seen by others, were later alerted in-app.

Regulators were informed on the morning of the incident. Lloyds told MPs it contacted the Financial Conduct Authority, the Prudential Regulation Authority and the Information Commissioner’s Office on 12 March, and submitted formal notification to the ICO within the required 72-hour window. It also told customers who may have recorded or shared other people’s information, whether by screenshot, note or online post, to delete it.

The bank has already paid just over £139,000 in goodwill compensation to about 3,625 customers for distress and inconvenience, while saying it has not identified losses that would justify compensation on a financial-loss basis. That response may not end the matter. The Treasury Committee has asked Lloyds for further updates in one month and again in six months, a sign that lawmakers want to test not only how the glitch happened but whether the bank’s assurances hold over time. Dame Meg Hillier, who chairs the committee, has framed the episode as part of a wider question over the trade-off between convenience and resilience in a banking system that is becoming more dependent on technology.