Category: Cyber News
Tags: Data Breaches, Privacy, Human Error
Reading time: 5 minutes
Early on Thursday morning, customers of three major UK high street banks opened their mobile banking apps to find something deeply unsettling: other people's money.
Transactions they had never made. Wages they had never earned. Benefits payments belonging to strangers. In some cases, people could see National Insurance numbers — detailed enough, as one customer described it, to piece together almost someone's entire identity.
The issue affected Lloyds Bank, Halifax, and Bank of Scotland, all of which are run by the same parent company. Reports began appearing just after 7am. By around 9am, the banks confirmed the problem had been fixed. Within hours, a spokesperson had apologised and announced an investigation into what went wrong.
This was not a hack. Nobody broke in. There were no criminals involved. What happened was a technical fault — and understanding the difference matters enormously.
What actually happened
Banking apps are connected to enormous systems that track account balances, transactions, and customer information. When you log in and ask to see your recent payments, the app sends a request to those systems and the systems send back your data.
On Thursday morning, something went wrong with that process. Instead of sending each customer their own data, the system began sending some customers data belonging to other people.
One person logged in repeatedly and saw a different stranger's account each time. Another briefly saw over a million pounds in their balance — money that was not theirs. Several people reported seeing benefit payments and wage transfers that made clear, in some detail, who the other account holders worked for and where they lived.
The crucial point: nobody could do anything with what they saw. They could not move the money. They could not access the other accounts. They could not make payments or withdrawals from them. The data was visible — but the accounts themselves were not open or reachable.
This is an important distinction. A data breach of this kind is alarming, and it is serious. But it is categorically different from a theft, and from an attack by criminals who could exploit what they found.
Who was affected, and for how long?
The banks have not confirmed exactly how many customers were affected, or whether they have notified the relevant UK regulator — the Information Commissioner's Office (ICO), which oversees data privacy law in the UK.
Based on reports from customers, the problem appears to have lasted roughly one to two hours during Thursday morning. The number of people whose data was visible to strangers is unknown.
We contacted Lloyds Banking Group's press office with five questions: how many customers were affected, whether the ICO had been notified, what technical safeguard failed, what steps were being taken to prevent a recurrence, and whether any credentials or full account details were exposed. They responded with the following statement: "We're sorry that some customers experienced an issue viewing transactions in the app for a short time this morning. The issue was quickly resolved and we're looking into what happened." None of our specific questions were addressed in their response.
What the headlines got wrong
Several reports described this as a "data breach" in the most alarming sense of the phrase — language that implies hackers, stolen data, and ongoing risk.
The reality is more mundane, and in some ways more instructive.
Nobody stole anything. Nobody attacked anything. A piece of software made an error. The people who briefly saw the wrong account information could not act on it maliciously even if they had wanted to — they were locked out of the actual accounts.
That does not make it acceptable. It is a serious failure with real consequences for people's privacy and confidence. The data that was briefly visible — National Insurance numbers, wages, employer details — is sensitive. The fact that it was shown to strangers, even briefly and even without being actionable, is a problem that the bank must answer for.
But "my bank had a glitch that showed me someone else's transactions" and "hackers stole millions of customers' data" are very different stories. Treating them the same way does not help anyone.
Why does this kind of thing happen?
Modern banking systems are extraordinarily complex. Millions of customers make transactions simultaneously. Data has to flow correctly between dozens of interconnected systems at all times.
Most of the time, it does. When it does not, faults like this can occur — not because anyone did anything malicious, but because the system made an error that nobody anticipated.
The technical term for what appears to have happened here is a data isolation failure — where the system that is supposed to keep each customer's data separate from everyone else's temporarily lost track of those boundaries.
Banks are required by law to prevent this kind of exposure. They are also required to report certain types of data incident to the ICO within 72 hours of discovering them. Whether this incident meets that threshold will be a matter for the regulator to decide.
Could there be fines or consequences?
Possibly, yes.
Under UK data protection law, organisations that fail to keep personal data secure — even through technical accident rather than deliberate negligence — can face regulatory action. The ICO has the power to issue fines, require audits, and compel changes to systems and processes.
Whether it does so depends on several factors: the scale of the exposure, how quickly the bank responded, whether it notified the regulator appropriately, and what the root cause investigation reveals.
This is not unusual territory for UK banks. Previous incidents involving data being incorrectly shared or exposed have resulted in formal investigations and, in some cases, significant fines. We will follow up on this story as the regulatory picture develops.
What does this mean for me?
If you use Lloyds, Halifax, or Bank of Scotland apps, here is what we know:
Your money is safe. Nobody could access, move, or withdraw from any account — including yours. The fault was in what was displayed, not in what was accessible.
Some of your transaction data may have been briefly visible to other customers during the window of the fault. This is uncomfortable, but not immediately actionable by anyone who saw it.
You do not need to change your password or PIN. This was not a credential breach — nobody obtained login information. However, if you ever receive an unexpected call, text, or email claiming to be from your bank about suspicious activity, treat it with caution and call the number on the back of your card to verify.
If you are worried, you can contact your bank. They are obligated to respond to questions about data incidents affecting you. Ask whether your data was among those incorrectly displayed and what they are doing to prevent a recurrence.
The broader lesson
This story is a useful reminder that most data privacy incidents are not caused by shadowy criminals — they are caused by mistakes in complex systems designed by and operated by people.
The risk is not just from the outside. It is from the inside too: from software that misbehaves, from systems that lose track of their boundaries, from the sheer complexity of keeping millions of people's private information flowing correctly every second of every day.
Banks spend enormous sums on cybersecurity. Most of the time, that money is well spent. But no system is perfect, and no amount of spending eliminates the possibility of human or technical error.
What matters when it goes wrong is how quickly the problem is identified, how completely it is fixed, and how transparently the organisation explains what happened and what has changed.
On speed, Lloyds appears to have moved quickly. On transparency, the picture is much less complete. We asked five specific questions. We received an apology and a confirmation that an investigation is underway. We will follow up when more is known.
🧠 The Human Factor
| Technology involved | Banking app data routing system |
| Root cause | A technical fault caused customer data to be served to the wrong accounts — a failure of data isolation |
| What was at risk | Transaction history, National Insurance numbers, employer details — visible to strangers, but not accessible to them |
| Prevention | Stricter isolation testing, separation of data streams, and better pre-release quality checks on systems that handle personal financial data |
References and sources
The facts in this article draw on reports published on 12 March 2026 by BBC News, the Times & Star, and other outlets covering the incident as it developed.
Martin Lewis (MoneySavingExpert) was among the first to report widespread customer concerns, asking followers on X to share what they were seeing in the affected apps.
Professor Markos Zachariadis, Professor of Financial Technology and Information Systems at the University of Manchester, commented to the BBC that the incident was "unusual" and noted that growing complexity in digital banking architecture increases the risk of this kind of fault.
We have submitted a question to the ICO asking whether they have been notified of this incident.
Last updated: 17 March 2026
We update breaking stories as new information becomes available.