Customers using the mobile banking apps of Lloyds Bank, Halifax and Bank of Scotland reported seeing other users’ transaction details last week, prompting concerns that sensitive financial information may have briefly been visible between accounts.
The banks said the issue was linked to a technical error affecting their mobile platforms, which was later resolved. If confirmed, the exposure of customers’ financial information could meet the threshold for a reportable personal data breach under UK GDPR, according to cyber risk specialists.
William Gow (pictured), chair of the Chartered Institute of Loss Adjusters’ cyber and technology special interest group and head of cyber & technology risks UK at Crawford & Company, said the type of information reportedly visible between users would likely trigger notification requirements.
“It is highly likely, as it appears customers report having briefly seen other individuals’ transaction data, including wage details, benefit payments and in some cases National Insurance numbers, which constitutes Personally Identifiable Information (PII) disclosed to ‘unauthorised’ recipients,” he said.
“This would very likely meet the UK GDPR threshold for notifying the ICO (who are reportedly already making enquiries) and affected individuals.”
Under UK GDPR rules, organisations must notify the Information Commissioner’s Office within 72 hours of becoming aware of a breach where it poses a risk to individuals’ rights and freedoms. Incidents involving financial or identity-linked information are typically treated as higher risk.
Data breaches affecting financial institutions can trigger multiple forms of insurance coverage depending on the circumstances and policy structures.
“Cyber insurance would typically respond to investigation, notification, regulatory and liability costs arising from a data breach,” Gow said.
“Financial Institutions’ E&O or professional liability policies may also apply where operational or system failures lead to customer impact. Coverage may extend to crisis communications and regulatory defence depending on policy terms.”
For insurers and brokers, events involving customer data exposure highlight how technology failures can quickly create complex claims scenarios involving regulatory scrutiny and potential customer liability.
Regulators may also examine whether safeguards were sufficient to prevent the exposure of customer data. Incidents involving sensitive financial information can attract scrutiny from both the Information Commissioner’s Office and financial regulators.
“Banks could face ICO investigation and potential enforcement for failing to prevent ‘unauthorised disclosure’ of financial and identity-linked data,” Gow said.
“They may also face customer claims for distress or misuse of data, alongside scrutiny from the financial regulators (FCA) given the sensitivity of the exposed information.”
The Financial Conduct Authority has increasingly emphasised operational resilience and firms’ responsibility to protect customers from harm arising from technology failures.
As banking services become increasingly reliant on mobile platforms and digital infrastructure, even short-lived technical failures can expose financial institutions to regulatory scrutiny and potential customer claims.
For insurers and brokers, incidents involving customer data exposure highlight how cyber events within financial institutions can quickly escalate into complex claims scenarios involving regulatory investigations, customer complaints and reputational damage.
The growing reliance on digital banking platforms has also increased the importance of cyber insurance and related liability cover as firms seek protection against the financial and regulatory consequences of technology failures.
