Lloyds App Glitch Exposed 450K Customers' Transactions to Other Users

Nearly 450,000 Lloyds Banking Group customers had their transaction data exposed to other app users after a software update broke account isolation. The incident, which occurred on March 12, 2026, saw detailed payment information—including account numbers, sort codes, and in some cases National Insurance numbers—visible to the wrong people.

Lloyds disclosed the scope to Parliament's Treasury Committee on March 27, 2026, revealing that the five-hour window affected customers across its Lloyds, Halifax, and Bank of Scotland mobile apps.

What Happened

A software update deployed overnight on March 11-12 introduced an API defect that broke account isolation. When two users accessed transaction lists simultaneously, the system could return the wrong customer's data. The vulnerability existed between 03:28 and 08:08 GMT on March 12.

During that window, 1.67 million of the bank's 21.5 million mobile app users logged in. Of those, up to 447,936 were exposed to potential viewing of their transaction data by others. Roughly 114,182 users actually clicked into transactions that allowed them to see sensitive information belonging to someone else.

The exposed data included:

• Transaction amounts and dates
• Payee information and payment references
• Sort codes and account numbers
• Text fields that sometimes contained National Insurance numbers or vehicle registration details

No unauthorized transactions occurred, and Lloyds says the risk of financial fraud from the exposure is low. But the incident underscores how a seemingly minor software regression can cascade into a significant data protection failure.

The Compensation Response

Lloyds has distributed £139,000 in goodwill payments to approximately 3,625 customers for distress and inconvenience. The bank told regulators it would consider additional claims if financial harm emerges later.

The compensation amounts are modest, but the bank notified the Information Commissioner's Office within the required 72-hour window. Whether the ICO pursues further action remains to be seen—under UK GDPR, the regulator can levy fines up to £17.5 million or 4% of global turnover for serious data protection failures.

Why This Matters

Banking apps have become the primary way millions of people interact with their finances. When API flaws expose customer data, the trust damage extends beyond the immediate incident. Users who saw someone else's transactions now know the system can fail. Users whose data was exposed may never know who saw it.

This wasn't a sophisticated attack exploiting a zero-day vulnerability—it was a broken software update that apparently wasn't caught in testing. The fix took under five hours once identified, suggesting the root cause wasn't complex. The question is why testing didn't catch a regression that affected core account isolation.

For financial institutions, the incident is a reminder that security isn't just about defending against external threats. Internal software quality directly affects data protection outcomes. Account isolation is a foundational security control, and any code path that touches it should have rigorous automated testing.

What Affected Customers Should Do

If you used Lloyds, Halifax, or Bank of Scotland mobile apps between 03:28 and 08:08 GMT on March 12, 2026:

1. Review your transactions — Check for any unauthorized activity, though Lloyds says none has been identified
2. Monitor your accounts — Watch for unusual communications claiming to know transaction details that could indicate social engineering attempts
3. Consider a compensation claim — If you experienced distress or have evidence of harm, contact Lloyds directly
4. Be wary of phishing — Attackers often exploit publicized breaches with targeted phishing campaigns impersonating affected organizations

The incident adds to a pattern of UK banking technical failures drawing regulatory scrutiny. Organizations handling financial data should assume that any exposure—regardless of whether it results in immediate fraud—carries reputational and regulatory consequences.