Karla Spencer
Benny Morgan
Key takeaway: An overnight software glitch at Lloyds briefly exposed nearly half a million customers’ transaction data, triggering political and regulatory scrutiny.
Lloyds Banking Group is under intense pressure after an IT glitch in its mobile apps exposed the personal data of up to 447,936 customers earlier this month.
The incident allowed some users of the Lloyds, Halifax and Bank of Scotland apps to see other people’s transactions, including highly sensitive details.
The breach has quickly escalated from a technical fault to a serious test of trust in the UK’s digital banking infrastructure.
The issue occurred on 12 March during an overnight update to the group’s mobile banking platforms.
Lloyds has told Britain’s cross‑party Treasury Committee that a “software defect” in that update caused some app sessions to display other customers’ transaction data.
Exposed information could include transaction details, account information, payment references and even National Insurance numbers, significantly raising the privacy stakes.
According to figures shared with MPs, 447,936 customers across Lloyds, Halifax and Bank of Scotland were affected in total.
That number includes people whose data was exposed, as well as those who were able to see other customers’ financial activity.
Of those, 114,182 customers clicked on transactions that did not belong to them, giving them access to more detailed personal information about other users.
Lloyds says it has so far paid 139,000 pounds in compensation to 3,625 customers for distress and inconvenience caused by the glitch.
Crucially, the bank and the Treasury Committee both state that there is no evidence so far of any customer suffering financial loss as a direct result of the breach.
Even so, the scale of exposure and the sensitivity of the data involved mean the risk of future fraud or identity theft cannot be dismissed.
In a letter to the Treasury Committee, Jasjyot Singh, Lloyds’ consumer relations chief, apologised for the incident and outlined the bank’s response.
The bank said it had notified affected customers, put in place dedicated support and strengthened monitoring for suspicious activity following the glitch.
A Lloyds spokesman added: “On March 12, some customers using our app may have briefly seen transactions that were not their own following an IT change. ‘The issue was quickly identified and resolved, and we’ve contacted customers whose transactions may have been visible for that short time.”
Parliament is not treating this as a routine technical error.
The Treasury Committee had already demanded explanations from Lloyds after the glitch first came to light on 12 March and has now received detailed figures on the scale of the exposure.
Lloyds has been ordered to provide further updates within one month and again after six months, signalling that MPs intend to keep sustained pressure on the bank.
Committee chair Dame Meg Hillier has warned that the episode underlines the risks of a banking system that is rapidly shedding branches and pushing customers into apps and websites.
She highlighted how convenient mobile banking rests on complex technology that can fail in unexpected ways, with consequences far beyond simple downtime.
Her comments reflect wider concern in Westminster after data showed the UK’s nine biggest banks and building societies suffered at least 803 hours of unplanned IT outages between January 2023 and February 2025.
This latest breach also lands against a sensitive backdrop for Lloyds on data protection.
Earlier this year, the Information Commissioner’s Office began looking into reports that the bank had used detailed account data from tens of thousands of staff during pay negotiations, raising questions over internal governance of personal information.
The new customer‑facing glitch will likely intensify regulatory scrutiny of how Lloyds tests software changes and safeguards data across its systems.
For now, regulators including the Financial Conduct Authority, the Prudential Regulation Authority and the ICO have all been notified of the incident.
Legal and privacy experts say the ICO could, in theory, impose a significant fine if it concludes Lloyds did not have “appropriate technical and organisational measures” in place to prevent a breach of this scale.
Whether the regulator takes that path will depend on factors such as how quickly the issue was fixed, how transparently Lloyds handled notifications and what long‑term fixes it implements.
For customers, the most immediate advice is to treat this as a serious privacy incident even if no money has been taken.
Exposed account details, transaction histories and National Insurance numbers can all be valuable ingredients for future phishing, impersonation or identity‑theft attempts.
Cybersecurity specialists recommend that anyone contacted unexpectedly about their Lloyds, Halifax or Bank of Scotland account should verify messages through official channels and be wary of sharing additional personal data.
At a sector level, the Lloyds case has become a powerful example of how modern banking risks are shifting from bank vaults to code repositories.
In the past, headline incidents often involved external cybercriminals launching distributed denial‑of‑service attacks, as happened to Lloyds in 2017 when online services were intermittently disrupted.
Today, as this glitch shows, a flawed overnight update can be just as damaging to customer trust as a hostile attack.The next six months will reveal whether Lloyds can reassure regulators, lawmakers and customers that it has truly learned from this event.
The bank will be judged not only on compensation and apologies, but on how it hardens its testing, monitoring and data‑segregation controls to ensure that hundreds of thousands of people are never again made unwilling spectators of each other’s financial lives.
