Lloyds mobile banking software flaw exposes transaction data to concurrent users
Summary
Hide ▲
Show ▼
A faulty software update in Lloyds Banking Group’s mobile banking platform caused a five-hour window on March 12, 2026 during which transaction details from current accounts were briefly exposed to other users accessing their transaction lists within similar timeframes. The incident affected 447,936 mobile banking users, with 114,182 potentially viewing sensitive payment details such as sort codes, account numbers, National Insurance numbers, and vehicle registrations. Balances remained unaffected and no unauthorized transactions were possible. Lloyds attributed the issue to a glitch in a software update deployed at 03:28 UTC and resolved at 08:08 UTC, with no recurrence reported.
Timeline
-
31.03.2026 13:07 1 articles · 1h ago
Race condition in Lloyds mobile banking update exposes transaction data between concurrent users
A software update for Lloyds mobile banking platform introduced a race condition that allowed transaction details from one user’s current account to be briefly visible to another user accessing their transaction list within fractions of a second. The flaw existed between 03:28 and 08:08 UTC on March 12, 2026. During this period, 447,936 users saw other users’ transaction data, with 114,182 clicking through to view individual payment details. Lloyds reported no unauthorized transactions occurred and mitigated the issue by reverting the update within five hours.
Show sources
- Lloyds Data Security Incident Impacts 450,000 Individuals — www.securityweek.com — 31.03.2026 13:07
Information Snippets
-
The software flaw occurred when two users accessed their transaction lists within fractions of a second of each other, causing transaction data from one user to be visible to the other.
First reported: 31.03.2026 13:071 source, 1 articleShow sources
- Lloyds Data Security Incident Impacts 450,000 Individuals — www.securityweek.com — 31.03.2026 13:07
-
The flawed update was deployed on March 12, 2026, at 03:28 UTC and reverted at 08:08 UTC, resulting in a five-hour exposure window.
First reported: 31.03.2026 13:071 source, 1 articleShow sources
- Lloyds Data Security Incident Impacts 450,000 Individuals — www.securityweek.com — 31.03.2026 13:07
-
Transaction details exposed included amounts, dates, payment identifiers, sort codes, account numbers, National Insurance numbers, vehicle registration numbers, and text in reference fields.
First reported: 31.03.2026 13:071 source, 1 articleShow sources
- Lloyds Data Security Incident Impacts 450,000 Individuals — www.securityweek.com — 31.03.2026 13:07
-
Of 21.5 million mobile banking users, 1.67 million logged in during the incident window, with 447,936 users experiencing data exposure and 114,182 clicking through to view individual transaction details.
First reported: 31.03.2026 13:071 source, 1 articleShow sources
- Lloyds Data Security Incident Impacts 450,000 Individuals — www.securityweek.com — 31.03.2026 13:07
-
Lloyds reported no unauthorized actions or balance changes, and assessed that the exposed data alone was unlikely to enable fraudulent activity.
First reported: 31.03.2026 13:071 source, 1 articleShow sources
- Lloyds Data Security Incident Impacts 450,000 Individuals — www.securityweek.com — 31.03.2026 13:07
-
Lloyds made goodwill payments totaling approximately £139,000 (~$183,600) to around 3,625 affected customers.
First reported: 31.03.2026 13:071 source, 1 articleShow sources
- Lloyds Data Security Incident Impacts 450,000 Individuals — www.securityweek.com — 31.03.2026 13:07