Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Mar 29, 2026 · 6 min read

A Lloyds App Glitch Showed 448,000 Customers Each Other's Bank Transactions

An overnight software update broke account isolation in the banking app. For nearly five hours, customers at Lloyds, Halifax, and Bank of Scotland could see strangers' payments, account numbers, and National Insurance numbers.

Close-up of two smartphones showing banking transaction details on a marble countertop

What Happened

On the night of March 11, 2026, Lloyds Banking Group pushed a routine software update to the API that handles transaction data in its mobile banking app. The update contained a defect that broke account isolation: when two users accessed the system within fractions of a second of each other, the API could serve one customer's transaction list to the other.

The exposure window lasted from 3:28 AM to 8:08 AM on March 12, a span of four hours and forty minutes. During that time, 1.67 million of the bank's 21.5 million mobile users logged in. Of those, up to 447,936 customers were potentially exposed to another person's transaction data.

Lloyds reported that 114,182 individuals actually clicked on transactions that revealed other users' personal data, meaning they saw detailed payment information belonging to someone else.

What Was Exposed

The leaked data went beyond simple transaction amounts. Customers who drilled into individual payments could see:

  • Transaction amounts, dates, and payment references
  • Sort codes and account numbers
  • Text entered with transactions, which in some cases included National Insurance numbers and vehicle registration details
  • Transaction data for recipients at other banks, not just Lloyds customers

National Insurance numbers are the UK equivalent of Social Security numbers. Combined with account numbers and transaction patterns, this data could enable identity theft, targeted phishing, or social engineering attacks.

Three Brands, One Broken API

The glitch affected all three of Lloyds Banking Group's consumer brands: Lloyds, Halifax, and Bank of Scotland. All three share the same mobile banking infrastructure, which means a single API defect cascaded across the entire customer base.

Lloyds notified regulators on the morning of March 12 and filed a formal notification with the Information Commissioner's Office within the required 72 hour window under UK data protection law. The bank has been instructed to provide updates to a parliamentary committee within one month and again after six months.

The Real Cost

Lloyds says no customers suffered direct financial losses from the incident. The bank has paid approximately 139,000 pounds in goodwill compensation to 3,625 customers for "distress and inconvenience," an average of about 38 pounds per person.

That figure is likely to grow. The Information Commissioner's Office investigation is ongoing, and UK data protection fines can reach up to 4% of annual global turnover under the UK GDPR. For Lloyds Banking Group, which reported 17.6 billion pounds in revenue in 2025, the theoretical maximum fine is over 700 million pounds.

More immediately, the incident exposed a systemic risk in how major banks handle software deployments. An overnight update pushed to production without adequate testing or staged rollout affected nearly half a million customers before anyone caught the problem.

Why This Matters Beyond Banking

This was not a cyberattack. No hacker exploited a vulnerability. No credentials were stolen. A software bug in a routine update exposed hundreds of thousands of people's financial data to strangers because two API requests arrived at the same time.

Race conditions in APIs, where two simultaneous requests interfere with each other, are one of the most common and preventable classes of software defects. They are well understood, well documented, and have standard mitigation patterns. The fact that this bug made it to production at one of the UK's largest banks raises questions about the quality assurance processes at financial institutions handling millions of customers' data.

It also highlights a broader truth about data exposure: not every breach requires a hacker. Sometimes the biggest risks come from the companies you trust with your data making basic engineering mistakes.

What Affected Customers Should Do

If you bank with Lloyds, Halifax, or Bank of Scotland and used the mobile app between 3:28 AM and 8:08 AM on March 12, 2026:

  • Monitor your accounts for unauthorized transactions over the coming months
  • Be alert for phishing emails or calls referencing specific transaction details, which could indicate someone captured your data during the exposure window
  • Consider placing a protective registration with CIFAS, the UK's fraud prevention service, if your National Insurance number may have been exposed
  • Contact Lloyds directly to ask whether your account was among those affected and whether your data was viewed by another customer