Monzo Bank PIN Storage

Don’t let the size of challenger banks fool you, they are just as susceptible to mishandling information as the chain banks. The United Kingdom challenger bank, “Monzo” recently admitted to storing close to 500,000 user PINs incorrectly in their internal systems. A challenger bank is a small retail bank in the U.K. that may cater to areas that are underserved by larger retail banks. Monzo has expanded beyond its European roots into the United States just last month.

How PINs Were Compromised

The company explained that a security bug had caused user PINs to be stored incorrectly in their internal systems. They were stored in encrypted files that were accessible to engineers as a part of their job responsibilities. Monzo stated that they usually keep PINs in a secure part of their system and have strict control over who can access them. This “bug” was fixed a few days after a security engineer at the bank found the vulnerability.

Many banks use cloud storage services to collect customer information and those in Europe and the U.K. must follow strict guidelines of GDPR Laws, PCI-DSS standards, and Data Protection Act principles. These require that consumers know when and how their data is being used as well as promising privacy when using and archiving data. There are still no federal data privacy laws in the United States, leaving security up to each state.

Monzo’s Reaction to the Exposure

After finding the vulnerability, the bank deleted PIN information that was improperly stored. They then emailed the thousands of customers to tell them they had been affected and should change their user PINs as a precautionary measure. Those affected could do so by entering their current PINs into a cash machine after inserting their Monzo card, choosing PIN services, and then choosing the option for, “Select a new PIN and change it to a new number.”

So far, there have been no reports of fraud resulting from the vulnerability, but users are encouraged to contact Monzo if they notice suspicious activity on their accounts. The almost 500,000 people only make up less than a fifth of the total amount of Monzo users.

Proper Storage for Banks and Beyond

The most secure way to prevent banks and other businesses from experiencing data breaches or improper storage is to use hardware encryption to ensure total security. The hardware encrypted SecureDrive BT has wireless authentication through a mobile app. Users can enable two-factor authentication and can even unlock the drive using unique biometrics like facial recognition and fingerprint detection. This level of security ensures only the proper administrators in a business setting or a teller at a bank can access data with personal information.

The drive also features step-away auto-lock to protect files when a user walks 10 feet from the device and remote wipe to clear the information from the device if it becomes lost or stolen. It is remote management ready with geo- and time-fencing features to restrict drive access to predetermined times and places. The SecureDrive is GDPR compliant and is FIPS 140-2 Validated for total security.

Instead of cloud services that can experience outages or fall victim to a breach, financial institutions can rely on physical storage. To learn more about our hardware-encrypted devices, call 1-800-388-1266.