Bank app data leak exposes Lloyds customers to strangers’ transactions

Users of Lloyds, Halifax and Bank of Scotland apps could see other people’s payments and balances

By Sarah Mills | GlobalBeat

A routine Tuesday morning banking check turned into a privacy nightmare for Lloyds Banking Group customers when they opened their apps to find strangers’ mortgage payments, grocery purchases and account balances displayed on their screens.

The incident, affecting customers of Lloyds Bank, Halifax and Bank of Scotland, marks the most significant British banking app data leak since TSB’s catastrophic 2018 migration failure left millions locked out of accounts for weeks. With digital banking now handling 78% of all UK transactions, according to industry body UK Finance, the breach raises fresh questions about the security of Britain’s increasingly digitized financial infrastructure.

“I could see someone else’s mortgage payment”

Customers began reporting the issue on social media around 9:30 AM Tuesday, posting screenshots showing account details belonging to other users. The bank app data leak appeared to affect both iOS and Android users, with customers describing everything from mortgage payments to Starbucks purchases appearing in their transaction feeds.

One Halifax customer, who asked to remain anonymous, told GlobalBeat they could view detailed payment information for what appeared to be a small business account, including supplier payments totaling thousands of pounds. “I refreshed the app thinking it was a glitch, but the same stranger’s account kept appearing,” they said. “I could see their incoming salary payments, utility bills, even their weekly Tesco shop.”

Lloyds Banking Group acknowledged the issue in a brief statement, confirming customers had experienced “problems viewing accurate account information” through its mobile banking apps.

Technical hiccup or systemic failure?

The bank refused to specify how many customers were affected or how long the bank app data leak persisted, citing only “a small number of customers” experiencing difficulties. However, social media reports suggest the issue spanned several hours and multiple Lloyds Banking Group brands.

Cybersecurity experts say the nature of the breach — displaying wrong customer data rather than exposing it externally — suggests a backend database misconfiguration rather than external hacking. “This looks like a session management problem where the app served user A with user B’s data,” explained Simon Edwards, a former National Cyber Security Centre analyst. “It’s embarrassing but not necessarily a criminal breach, though the Information Commissioner’s Office will want answers.”

The timing proves particularly awkward for Lloyds, which has invested £3 billion in digital transformation since 2021 and operates Britain’s most-downloaded banking app suite with over 15 million active users.

Privacy regulators circle as complaints mount

The Information Commissioner’s Office confirmed it had received “multiple complaints” about the incident and was “making enquiries” with Lloyds Banking Group. Under GDPR rules, organizations must report serious personal data breaches within 72 hours of discovery.

Financial data represents the most sensitive category of personal information under privacy laws, carrying potential fines of up to 4% of global turnover. For Lloyds Banking Group, that could theoretically mean a £600 million penalty, though regulators typically reserve maximum fines for willful or repeated negligence.

“The real question is whether this represents a one-off technical glitch or systemic poor practice,” said digital rights campaigner Jeni Tennison. “Unfortunately, we only find out when something goes catastrophically wrong.”

Trust deficit grows in digital banking

But the challenge runs deeper than one morning’s chaos. Trust in digital banking has been steadily eroding since the TSB debacle, with Which? research showing 37% of customers now keep accounts with multiple banks specifically as insurance against IT failures.

The numbers tell a different story than banks’ rosy digital transformation narratives. Complaints about banking IT failures to the Financial Ombudsman Service have risen 46% since 2020, while social media monitoring shows technical problems spark three times more negative sentiment than traditional branch closures.

What makes this incident particularly damaging is its fundamental betrayal of banking’s core promise: your money and your information remain private. When apps spew strangers’ financial affairs across screens, it shatters the illusion of digital banking as merely an electronic version of a secure vault.

Tuesday morning shock for mortgage holders

Consider the real-world impact: Sarah, a Halifax mortgage customer, opens her app to check if her monthly payment cleared, only to find herself staring at someone else’s £1,200 mortgage payment and their £34,000 remaining balance. She knows their salary hits on the 15th, their partner’s name is David, and they spend £80 weekly at the local pub.

Now imagine being the customer whose intimate financial life appears on a stranger’s phone — every direct debit, every embarrassing Just Eat order, every private transfer to family members listed for someone else to judge. The psychological violation extends far beyond mere data exposure.

For both parties, that relationship of absolute confidentiality between bank and customer has been irrevocably damaged.

Global banking sector battles similar breaches

The Lloyds incident parallels similar breaches affecting major international banks. In 2022, German giant Deutsche Bank admitted a “configuration error” exposed customer data, while Australia’s Commonwealth Bank faced regulatory scrutiny after users reported seeing other customers’ accounts through its app.

International banking regulators have grown increasingly vocal about IT resilience, with the European Central Bank warning in October that “operational disruptions” represent the sector’s most pressing risk. The Basel Committee on Banking Supervision will implement new operational resilience requirements in January 2025, forcing banks to demonstrate they can withstand and recover from IT failures within strict timeframes.

These standards can’t come soon enough for customers whose financial lives increasingly exist only in digital form.

Investigation timeline tightens as questions multiply

Lloyds Banking Group faces a ticking clock to satisfy regulators and restore customer confidence. The bank must submit its initial incident report to the Financial Conduct Authority by Friday, with a fuller investigation due within 30 days.

Customers affected by the bank app data leak should have already received text messages advising them to log out and back into their apps, though the bank stopped short of advising password changes. The Information Commissioner’s Office typically takes four to six months to complete investigations, with any enforcement action following publication of findings.

Meanwhile, expect awkward questions at Lloyds’ annual shareholder meeting next month, where executives will face demands for transparency about what went wrong and assurances it won’t happen again. Given that 48% of UK adults now bank primarily through mobile apps, according to UK Finance, anything less than comprehensive answers risks accelerating the gradual migration back to traditional banks that offer both digital convenience and human reassurance.