Person using smartphone banking app in dark lighting

TL;DR: On March 12, 2026, a botched software update broke account isolation in Lloyds Banking Group's mobile apps. For nearly five hours, 1.67 million users who logged in could potentially see other customers' transactions. Up to 448,000 may have been exposed. Some 114,000 users actively clicked into transaction details, revealing sort codes, account numbers, and National Insurance numbers used as payment references. Lloyds paid £139,000 in compensation to 3,625 customers. No external hack. Just broken code.

What Happened

Between 03:28 and 08:08 GMT on March 12, an overnight software update to the Lloyds, Halifax, and Bank of Scotland mobile apps introduced a critical bug. When two users accessed their transaction lists at the same time, the API got confused. It started showing one customer's data to another.

During those 4.5 hours, 1.67 million people logged into the apps. According to Lloyds' internal analysis:

  • 447,936 customers could have seen other users' transaction lists
  • 114,182 users clicked into detailed payment views, exposing more sensitive data

The bank claims no financial losses have been reported. But the data that was visible? That's a different story.

What Data Was Visible

Users who stumbled into someone else's account could see:

Transaction Lists

Payment amounts, dates, and references. Who paid whom and when.

Account Details

Sort codes and account numbers when clicking into detailed views.

Payment References

National Insurance numbers and vehicle registration plates. People often use these as payment references.

Third-Party Data

Information about non-Lloyds customers who received payments from affected accounts.

National Insurance numbers are the UK equivalent of Social Security numbers. Having someone's NI number plus their transaction history is enough to start building an identity theft profile.

How the Bug Broke Things

The technical explanation is almost boring in its simplicity: a software defect introduced via overnight update broke API isolation. When simultaneous requests hit the system, it served the wrong data to the wrong user.

This isn't a sophisticated attack. No hackers. No social engineering. Just a bad code deployment that nobody caught before it went live.

The bank identified and fixed the issue within hours. But by then, over a hundred thousand people had already clicked around in accounts that weren't theirs.

The Payout

Lloyds has distributed £139,000 to approximately 3,625 customers. That works out to about £38 per person, what the bank calls "goodwill payments" for "distress and inconvenience."

Not compensation for financial loss. Not compensation for potential identity theft. Just a small payment to make the PR problem go away.

The bank notified regulators the morning of the incident and filed formal notification with the UK's Information Commissioner's Office within the required 72-hour window.

The Bigger Problem

This incident highlights something banks don't like talking about: their apps are complex systems with millions of lines of code, and bugs happen. Usually they're caught in testing. Sometimes they're not.

Lloyds isn't unique here. In 2025, NatWest had a similar glitch that briefly exposed customer data. TSB's 2018 IT migration disaster left customers locked out for weeks and exposed accounts to fraud.

The pattern: banks rush updates, skip adequate testing, and customers pay the price. It's a recurring theme in the year's worst data breaches.

What You Should Do

If you used the Lloyds, Halifax, or Bank of Scotland app on March 12:

Check Your Statements

Look for any unfamiliar transactions. The exposure window was brief, but data could be used later.

Monitor Credit

If your NI number was visible in payment references, consider signing up for a credit monitoring service.

Request Clarification

Contact Lloyds to ask whether your specific account was affected. They have the logs.

Document Everything

If you saw someone else's data, or suspect yours was seen, keep records. The £38 payout isn't the end of this story.

The Bottom Line

Nearly half a million UK banking customers had their data potentially exposed because of a software bug. No hackers needed, just sloppy code deployment.

The bank's response: notify regulators, fix the bug, and hand out £38 payments to people who complained loudly enough. Meanwhile, National Insurance numbers and transaction histories were visible to random strangers for 4.5 hours.

This is what happens when "move fast and break things" meets banking infrastructure. Sometimes you break customer privacy instead.

References

  1. The Register - Lloyds app glitch exposed transactions to almost 500K users (March 2026)
  2. TechRadar - Lloyds admits nearly half a million banking customers affected (March 2026)
  3. CyberNews - Lloyds exposed 447,000 customers transaction data (March 2026)
  4. Scottish Financial News - Lloyds pays out after app glitch (March 2026)