Lloyds app glitch turned transactions into shared experience for 447k users
A botched update mixed up transaction data across accounts, with thousands now receiving goodwill payouts
A botched overnight software update at Lloyds Banking Group left up to 447,000 customers briefly seeing other people's transactions in its mobile apps, with the bank now acknowledging the scale of the incident and compensating affected users.
Details of the incident emerged in a letter from Jasjyot Singh, the bank's CEO of consumer relationships, to the Treasury Committee, following questions about the March 12 glitch that affected Lloyds, Halifax, and Bank of Scotland users.
According to Singh, the issue was triggered by an IT change pushed overnight between March 11 and 12, introducing a software defect in the API handling transaction data. Between 03:28 and 08:08 that morning, customers logging into the apps could end up seeing fragments of other people's account activity if they accessed their transaction lists at almost exactly the same moment as another user.
Lloyds says no one could move money or access accounts, but users were able to see transaction amounts, dates, and payment references, which can include personal identifiers. Those who drilled into individual payments could potentially view sort codes, account numbers, and any text entered alongside a transaction, including National Insurance numbers or vehicle registration details where these had been used as references.
Out of 21.5 million mobile banking users, 1.67 million logged in during the affected window. Lloyds said as many as 447,936 customers may have been exposed to other people's transaction lists, while up to 114,182 could have seen more detailed payment information. The crossover works both ways: some customers saw other people's transactions, while others had their own details briefly shown to strangers.
"In some cases, the transaction information visible may have related to individuals who are not Lloyds Banking Group customers, for example in an instance where a payment was made from a Lloyds Banking Group customer account to an account holder at another bank," Singh admitted.
Singh says the exposure was brief and unlikely to lead to fraud, with no financial losses so far. Even so, the bank has told customers to delete any screenshots or notes they may have taken and says it's monitoring for misuse.
So far, Lloyds has paid out just over £139,000 to around 3,625 customers as goodwill for distress and inconvenience, rather than compensation for losses. It says it will consider further claims if any financial harm emerges.
The bank said it notified regulators on the morning of the incident and followed up with a formal notification to the ICO within the required 72-hour window.
The root cause, Lloyds says, was a flaw in how the updated API handled simultaneous requests, effectively breaking the isolation between accounts when two users hit the same function within fractions of a second. The bank is now reviewing how that defect slipped past its design, testing, and quality assurance processes.
In response to Lloyd's update, chair of the Treasury Committee, Dame Meg Hillier, said: "Modern banking methods mean we can now perform a variety of tasks on our phones in a matter of seconds, and almost anywhere.
"What this incident brings into focus is the fact that there is a trade-off. By moving more interactions with our bank online, we place our faith in technology which can suffer unpredictable errors. It's critical that consumers understand this, and that's why my Committee continues to push banks to be transparent when things go wrong."
Banking apps are built on one basic rule: your account is yours. For a few hours on March 12, that rule didn't hold. ®