Lloyds Banking Group Data Breach Affects Almost 500,000 Customers
In a significant IT failure, Lloyds Banking Group exposed the personal data of nearly 500,000 customers, leaving sensitive information such as payments, account details, and national insurance numbers visible to other users on its mobile banking apps. The incident, which occurred overnight into 12 March, was caused by a software defect introduced during an update to the Lloyds, Halifax, and Bank of Scotland apps.
Scope of the Exposure and Regulatory Response
According to a letter published by the Treasury select committee, up to 447,936 customers were potentially able to view private information of other users, with about 114,182 people clicking into transactions that revealed account details, national insurance numbers, or payment references. The bank reported itself to the Financial Conduct Authority on the morning of 12 March and notified the Information Commissioner's Office within the required 72-hour timeframe.
Jasjyot Singh, the Lloyds chief executive of consumer relationships, stated that the bank is asking customers who may have recorded or shared information to delete it. He noted that there is currently no evidence of misuse or malicious activity, but the bank will continue to monitor for potential fraud closely.
Compensation and Broader Implications
Lloyds has paid £139,000 to compensate 3,625 customers for distress and inconvenience, though no financial losses have been reported. This glitch raises questions about customer protections as banks increasingly close branches and push users toward digital banking. The number of UK bank branches fell from roughly 10,565 to 6,870 in the decade to 2024, highlighting the shift to online services.
Meg Hillier, the Treasury committee chair and Labour MP, commented that modern banking methods involve a trade-off, with technology prone to unpredictable errors. She emphasized the need for consumers to understand this risk. Singh added that Lloyds is prioritizing analysis, customer engagement, and learning lessons from the incident, with further updates to the committee scheduled for April and September.
