A data leak at Lloyds Banking Group stemming from an IT glitch exposed the personal information of nearly half a million customers, enabling them to see each other’s transactions.
Lloyds Banking Group owns Halifax and Bank of Scotland. Serving about 28 million customers, Lloyds employs approximately 65,000 people and reported annual revenue of £34 billion in 2024.
On March 12, the banking group encountered a software defect that enabled customers to see each other’s transactions.
Data leak at Lloyds affects nearly 450,000 individuals
The data leak affected 447,936 individuals at Lloyds, Halifax, and Bank of Scotland, with 114,182 customers clicking on others’ transactions. It also affected individuals who were not Lloyds customers but transacted with the bank’s clients.
Details leaked included national insurance numbers and payment references. Some customers also alleged seeing others’ workplaces, wages, and payees’ full names. However, the data leak did not expose account numbers, which could expose victims to potential fraud. Every time a customer opened the banking app, the transaction information of a different person was displayed, suggesting that each individual could view numerous transactions within a short time.
“The defect meant that when a customer requested to view their current account transactions, their transaction data was potentially visible to other customers who were simultaneously – within small fractions of a second – requesting access to their own transactions,” explained Jasjyot Singh, CEO of consumer relationships at Lloyds Banking Group.
However, the IT glitch did not grant account access to other customers. Nonetheless, it caused panic when customers saw unrecognized transactions from unknown locations.
Upon learning of the data leak, Lloyds responded swiftly and rectified the IT glitch. It also contacted the affected individuals, notifying them that other customers potentially saw their transaction information.
“The issue was quickly identified and resolved, and we’ve contacted customers whose transactions may have been visible for that short time,” the company spokesperson stated.
Additionally, the data leak forced the banking group to compensate 3,625 individuals a total of £139,000 ($183,486) for the distress and inconvenience they experienced. However, the data leak has not resulted in any financial losses.
“Based on our assessment of this incident, we have not identified evidence that customers have suffered financial loss, and no customer has reported a financial loss arising from the incident at this stage,” the spokesperson added.
Currently, the banking group has launched an investigation to determine the cause of the IT glitch. The Financial Conduct Authority (FCA) has also contacted the banking group to determine the steps being taken to rectify the situation.
Similarly, the U.K.’s Information Commissioner’s Office (ICO) was notified within 72 hours, as required under the country’s data breach reporting regulations.
Lloyds IT glitch stemmed from a software update
According to data breach notification letters sent to the affected individuals, an overnight software update caused the IT glitch that affected the application programming interface (API) used by Lloyds’ banking apps.
“The Lloyds incident is a powerful illustration that data exposure doesn’t require an attacker, a single API defect was enough to break the boundaries between nearly half a million customer accounts,” said Chris Radkowski, GRC Expert at Pathlock. “Authentication was working perfectly; what failed was application-layer access control. That distinction matters. Financial institutions cannot afford to treat data isolation as a deployment checkbox. Continuous monitoring of who can access what and immediate detection when those boundaries break is now table stakes for any bank operating at digital scale.”
Meanwhile, Lloyds has faced criticism for reportedly accessing employees’ financial accounts, which they are required to hold with the banking group, raising serious privacy concerns. Privacy advocates also worry that the company could potentially access customer accounts in a similar way to advance its own interests.
