The digital bank Monzo has told 480,000 customers to change their PINs after it discovered an error that allowed unauthorised staff to view sensitive information.
Monzo said that it normally stored PINs in a “particularly secure” part of its systems that only select employees can access. However, on Friday, 2 August, it learned that it had been recording some people’s PINs in a different part of its system.
Although the information was in encrypted log files, more than 100 Monzo engineers could view the information.
The organisation has since deleted the data that was incorrectly stored, and updated its apps to fix the issue.
What went wrong?
Sujith Parambath, IT Governance’s head of PCI consultancy, explains the errors that led to this incident:
“As an issuer of bank cards, Monzo stores PIN data of its customers in an encrypted format which they state is ‘normally tightly secured with extremely limited access’.
“However, this issue is related to PINs being inadvertently stored in log files as plaintext, which were accessible by roughly 110 Monzo engineers, who normally would not have the clearance nor any need to see customer PINs.
“It’s important to remember that there could be a number of log sources within an organisation’s computer environment.
“It is up to the organisation to identify and document these log sources as part of their log-management programme and more importantly in scope of their PCI DSS (Payment Card Industry Data Security Standard) environment.”
The PCI DSS is an information security standard designed to increase the security of cardholder data, reducing payment card fraud and accidental breaches.
Any organisation that accepts, stores, transmits or processes cardholder data must comply with the Standard’s requirements.
As Sujith notes, the PCI DSS “specifically calls for log data to be examined across a number of log sources such as application logs, audit logs, transaction, history, error, debug logs for storage after authorisation including PANs, CVV2s, CVC2s and PIN data”.
The Standard also requires organisations to limit access to system components and cardholder data to only those employees who need the information to do their jobs.
Geraint Williams, IT Governance’s CISO, adds that ”effective immediately, Mastercard will no longer require an acquirer to report merchant PCI DSS compliance to Mastercard on a quarterly basis.”
Monzo was in a situation where it was not quite autonomous but neither was it a vendor for Mastercard. With no one overseeing its compliance practices, it was up to Monzo to keep its systems secure, which it failed to do.
“As a result, 480,000 folks, a fifth of the bank’s customers, now have to go to a cash machine, and reset their PINs,” Geraint concludes.
The good news is that Monzo’s breach doesn’t appear to be a result of the bank ignoring its PCI DSS requirements. The bank’s statement suggests that it believed its processes were fit for purpose, and that the breach was the result of a vulnerability that appeared during an update, which was quickly spotted.
The bad news is that a breach is a breach no matter how it occurred, and Monzo should have implemented additional measures to prevent it occurring.
Sujith says the bank should have documented the log type and characteristics of each system as part of its log management program. As the PCI SSC Log Supplement says: “Without a structured approach to security log monitoring, efforts to protect information assets will remain erratic at best.”