Major UK banks accidentally made customer accounts public in data glitch: Here's how it happened

A major glitch occurred at Lloyds Banking Group on Thursday morning, March 12, where customers’ data was left exposed.

Customers report viewing other people’s private transactions, including benefit payments, National Insurance numbers, and wage details, via the bank’s mobile application.

The outage remained for an hour across Lloyds Bank, Halifax, and Bank of Scotland

As reported on Downdetector, reports of outage started receiving between 7:00 a.m. and 9:00 a.m. Users also reported the incident on social media.

The breach was later confirmed by Lloyds Bank Group. The group apologised to its 26 million UK customer base, stating: “This morning, we incorrectly showed transaction information from some accounts to other customers in Internet banking and the mobile app.”

“We’re sorry this happened. The issue was quickly identified and resolve,” the company added.

Although the glitch was massive, the bank insisted that “nobody had access to your accounts” and said it was “reviewing what happened to ensure this can’t occur again.”

This incident marked the third time a major outage occurred on Lloyd’s apps in just over a year, following payday failures in January and February 2025 that affected 700,000 customers.

While the bank has not released full technical details, experts suggested that the glitch occurred from one of several possible failures.

A session management problem may have caused incorrect users to be matched, with incorrect data being served from the wrong accounts. This may have looked like viewing the wrong person's profile after login. It may have also caused incorrect data to be returned due to a corrupted cache.

An authentication bypass may have caused incorrect account filtering. The API may have caused all available data to be returned by removing the userID filters.

A session management problem could result in users being mismatched and receiving data from the wrong data. Most likely, a flawed software update or server deployment introduced this bug during routine maintenance or system changes.