Cyber Incident Victim: Lloyds Banking Group
Date:
Mar 2026
Location:
United Kingdom
Summary
Lloyds Banking Group experienced a software defect introduced during an overnight IT update that allowed some customers using its mobile app to view other users' transaction details when accessing their accounts simultaneously. The exposed information could include amounts, dates, payment identifiers, sort codes, account numbers, National Insurance numbers and, in some cases, data from non‑customers when payments were sent to external accounts. The bank stated that no funds were moved, balances were unchanged and the issue was resolved quickly, with goodwill payments made to a subset of affected users for distress and inconvenience.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 0 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On the night between 11 and 12 March 2026, Lloyds Banking Group deployed an overnight IT change to update the application programme interface used by its mobile banking app. A defect in the design of the code for this API update caused the system to display transaction data from one user to another when two customers accessed their account transaction lists at nearly the same moment. The glitch meant that simultaneous access could result in a customer seeing another customer’s transactions, or having their own transactions visible to someone else. The issue was identified on the morning of 12 March and was resolved at 08:08 that same day, after which the problem did not recur.
Lloyds reported that of its 21.6 million mobile app users, approximately 447,936 customers may have been presented with another user’s transactions or had their own transactions shown to another user during the incident. Of that group, 114,182 customers may have clicked to view transaction details, thereby potentially seeing someone else’s information. The exposed data could include transaction amounts, dates, payment identifiers that might contain National Insurance numbers, and, if a user clicked into a specific transaction, sort codes, account numbers, National Insurance numbers, vehicle registration numbers, or text entered in the reference field. In some cases the visible information related to individuals who were not Lloyds customers, such as when a payment was made to an account held at another bank.
Lloyds stated that no customer suffered a loss, that account balances were unaffected, and that users could not perform unauthorised actions or move money on another person’s account. The bank notified the relevant financial authorities and the UK Information Commissioner’s Office, and said it was fully cooperating with any further enquiries. Lloyds communicated the incident to customers via social media, issued an apology noting that the issue was fixed quickly and that it was reviewing the event to prevent recurrence, and made goodwill payments of roughly £139,000 to about 3,625 affected customers for distress and inconvenience.