Lloyds, Bank of Scotland and Halifax apps showed customers other users’ transactions

The incident represents a significant escalation from previous technical issues that have plagued banking apps. While past outages typically resulted in customers being unable to access their own accounts or view recent transactions, this latest flaw exposed cross-customer data, a far more severe breach of trust and privacy. Lloyds Banking Group, the parent company for all three affected banks, quickly issued an apology for the disruption and confirmed that the underlying issue had been resolved. However, the full extent of the compromise, including the exact number of users affected and the duration of the exposure, remains unclear, fueling anxiety among its vast customer base.

Reports of the problem surged between 07:00 and 09:00 GMT on Thursday, according to outage tracking website Downdetector.com. Both the Halifax and Lloyds apps experienced a significant spike in reported issues during this period, indicating a widespread problem. A smaller, but still notable, increase in reports was also observed for the Bank of Scotland app. While Downdetector offers a valuable snapshot of user-reported problems, it often only captures a fraction of the actual affected population, suggesting the true scale of the incident could be considerably larger. Given that Lloyds Banking Group serves millions of customers across the UK, even a small percentage experiencing this glitch could translate into thousands, if not tens of thousands, of individuals whose data was inadvertently exposed.

One particularly disturbing account came from a 55-year-old woman, who wished to remain anonymous, residing in Kirkcaldy, Fife. She described an astonishing 20-minute period during which she could access the accounts of at least six different users via the Bank of Scotland app. Her testimony painted a vivid picture of the depth of the data exposure. She recounted seeing a diverse range of transactions, from purchases made at a pub in Newcastle, some 154 miles from her home, to fees incurred from using a card abroad, and even wage payments from a company based in England. The geographical disparity of these transactions underscored the random and widespread nature of the data cross-contamination.

Even more concerning was her ability to view benefit payments from the Department of Work and Pensions (DWP). These payments often include the recipient’s National Insurance number as a payment reference, effectively exposing a crucial piece of personal identification. "There were transactions from Waitrose, there isn’t a Waitrose near us," she told BBC News, highlighting the immediate red flags that alerted her to the breach. She further elaborated on her experience: "I kept logging out and back in, and every time the details changed. I can see another person’s bank account, he got paid £6,000 yesterday. Others, I can see their benefits payments, their National Insurance numbers, I can see where they work, almost their whole identity." This chilling statement encapsulates the profound threat posed by such a data leak, where an individual’s financial stability, employment details, and core identity markers could be laid bare to strangers.

This incident is not the first time the Lloyds Banking Group and its digital platforms have faced scrutiny over technical stability. The original article references "February 2025" and "January and February 2025" for previous outages affecting approximately 1.2 million people in the UK. Assuming these dates refer to recent past events (e.g., 2024 or earlier, given the typical reporting cycle), these prior glitches, which affected Lloyds Bank, Halifax, and Bank of Scotland apps, were primarily characterised by users being unable to access their own accounts or make payments. Thousands of reports flooded Downdetector during those periods, prompting calls from consumer groups and financial officials for banks to significantly enhance their technological resilience and infrastructure.

However, the nature of Thursday’s incident marks a critical departure. While previous issues were largely about service unavailability or limited access to one’s own data, this event involved the direct exposure of other customers’ private financial and personal information. This distinction is crucial because it elevates the problem from a service inconvenience to a potential data breach under regulatory frameworks like the General Data Protection Regulation (GDPR). GDPR imposes strict rules on how personal data is handled and protected, and any unauthorised access or disclosure can lead to severe penalties.

The UK’s data watchdog, the Information Commissioner’s Office (ICO), has been approached for comment by the BBC. The ICO’s role is to uphold information rights in the public interest, and it has the power to investigate data breaches and levy substantial fines on organisations found to be in non-compliance with data protection laws. Given the potential exposure of National Insurance numbers and detailed financial transactions, the incident almost certainly constitutes a reportable breach under GDPR. Organisations are generally required to report data breaches to the ICO within 72 hours of becoming aware of them, especially if there is a risk to individuals’ rights and freedoms. As of the initial reporting, Lloyds had not confirmed whether it had contacted the ICO or any other UK regulators, a silence that could attract further scrutiny.

From a technical perspective, such a glitch could stem from a variety of complex software or infrastructure failures. Potential causes might include:

1. Session Management Errors: Incorrect handling of user sessions, where a user’s session token inadvertently points to another user’s data.
2. Caching Issues: Server-side caching mechanisms incorrectly serving cached data belonging to one user to another.
3. Database Configuration Errors: A flaw in how queries are constructed or how data is retrieved, leading to an incorrect dataset being returned.
4. API Misconfigurations: Application Programming Interface (API) endpoints that are supposed to serve specific user data instead returning broader, unintended datasets.
5. Load Balancer Malfunctions: Issues with load balancers distributing traffic or sessions incorrectly, causing users to be linked to the wrong data.
6. Deployment Errors: Recent software updates or changes to the application’s backend infrastructure introducing bugs that lead to data cross-contamination.
   The fact that the incident was reportedly "resolved" relatively quickly suggests a server-side fix was implemented, likely involving a rollback to a previous stable version, a hotfix, or a temporary disabling of the affected functionality, rather than requiring a full app update for all users.

The psychological impact on customers is profound. The ability for strangers to view one’s financial movements, wage slips, and even government benefits creates significant anxiety and a deep sense of vulnerability. Customers may fear identity theft, financial fraud, or simply the violation of their privacy. This incident severely erodes trust in digital banking services, which have become an indispensable part of modern life. Banks rely heavily on this trust, and a breach of this magnitude can have long-lasting reputational damage. Customers are now advised to remain vigilant, closely monitor their bank statements for any suspicious activity, and report anything unusual immediately.

Looking ahead, Lloyds Banking Group faces a comprehensive internal investigation to pinpoint the exact root cause of the glitch. This will likely involve forensic analysis of logs, code reviews, and system audits to prevent recurrence. Beyond the immediate technical fix, the group will need to communicate transparently with affected customers, providing clear guidance and assurances. Depending on the ICO’s findings, there could be requirements for further remedial actions, which might include enhanced security protocols, system overhauls, and potentially even compensation for individuals whose data was compromised. The broader banking industry will also be watching closely, as such incidents serve as a stark reminder of the continuous need for robust cybersecurity measures and resilient IT infrastructure in an increasingly digital world. The call from consumer groups and officials for banks to boost their resilience is now louder than ever, underscoring the critical balance between technological innovation and the unwavering responsibility to protect customer data.