Lloyds pays £62,000 to customers after app data breach
Key Points
- Lloyds paid around £62,000 in goodwill payments to roughly 1,625 customers between 24 March and 21 April following the 12 March mobile banking app incident
- The bank revised affected customer figures down to 446,915 from 447,936, with 107,937 clicking through to transaction details rather than 114,182
- An additional 80,508 joint account holders who did not log in were also alerted because their transaction details may have been viewed
- Lloyds analysis comparing six weeks before and four weeks after the incident found no increase in fraud volumes and no statistical link to the data exposure
- Social media scanning across X, Facebook, Instagram and TikTok found no publicly available screenshots of transaction information from the incident
Lloyds Banking Group has paid around £62,000 in goodwill payments to roughly 1,625 customers following a mobile banking app incident in March.
The payments were made between 24 March and 21 April, according to a letter from Jasjyot Singh OBE, CEO of Consumer Relationships at Lloyds, to Treasury Committee Chair Dame Meg Hillier MP.
The 24 April letter confirms the bank has not identified any customer who suffered financial loss from the incident, which briefly allowed account holders to view transactions belonging to others.
The £62,000 figure relates solely to distress and inconvenience payments made under existing practice for individual cases.
The incident occurred on the morning of 12 March after an overnight update to the Lloyds mobile banking app. Lloyds has now revised down the customer impact figures it originally reported to the Treasury Committee on 24 March.
The bank now assesses that a maximum of 446,915 customers who logged in during the affected window may have viewed other peoples’ transactions or had their own transactions presented to others. That figure is down from the 447,936 provided in the initial response.
The number of customers who clicked through to view transaction detail has also been revised, falling from 114,182 to 107,937.
Lloyds attributes the reduction to the identification of duplicate customers and further analysis of click-through behaviour.
A separate group of 80,508 joint account holders who did not log in during the incident may have had their transaction details viewed by others.
These customers share accounts with those who were active during the window. Lloyds issued an alert on the app home screen to these joint account holders, with a small number of exceptions based on particular customer circumstances.
This sat alongside the targeted alert sent from 24 March to the 446,915 customers who logged in during the affected period.
The bank confirmed its digital communications are compatible with screen readers. Branch, telephone and mobile messaging colleagues were briefed to support customers with additional needs.
Fraud assessment finds no statistical link
Lloyds said carried out detailed analysis comparing fraud volumes against the affected population of 446,915 customers. The comparison covered the six weeks before 12 March and the four weeks afterwards.
The bank found no increase in average daily fraud volumes across that period. There was also no statistically significant difference in fraud types including impersonation scams and card fraud.
Lloyds also reviewed individual fraud cases occurring after 12 March to establish whether any showed a discernible link to the data potentially viewed. The bank found no such link in any of the cases examined.
The analysis was extended to customers whose transactions may have been visible to others. Again the bank found no increase in average daily fraud volumes when comparing the periods before and after the incident.
The current assessment of complaints received has not highlighted any cases relating to customers of other banks. This is despite some visible transaction information potentially relating to payments made to or from non-Lloyds customers.
Lloyds maintains its initial assessment that the transaction information visible during the incident would not be sufficient on its own for someone to commit fraud against an individual’s bank account.
The bank said it is very unlikely the information could be used to carry out fraudulent activity more widely.
Social media monitoring
Lloyds said it also reviewed social media posts and comments related to the app incident across its Lloyds, Halifax and Bank of Scotland customer channels.
The bank found no identifiable screenshots of transaction information. Lloyds also conducted social media scanning at intervals across major platforms including X, Facebook, Instagram and TikTok.
The bank looked for any users who had shared screenshots on publicly available feeds or pages. That analysis indicates no transaction information screenshots are publicly available.
Customer communications issued in the app from 24 March made clear that any recorded or shared information relating to other individuals, including screenshots, should be deleted. Frontline teams received guidance to reinforce this with customers.
