Never going to live it down if people find out I subscribe to a My Little Pony magazine
JackStrawWitchita on
Massive GDPR breach. They need to be heavily fined for this.
Too many companies are cutting back on quality control of their IT systems in order to save a few quid. This is a preventable customer data breach.
somnamna2516 on
more and more outages, incidents and security breaches.
take your pick from headcount reduction, outsourcing, AI slop-coding and AI slop-devops.
SimpleFactor on
Well they’ve locked down the apps for now from the looks of it so good luck if you’re with Lloyds group and need to make a transfer this morning
limeflavoured on
Incoming massive fine from the ICO and probably the FCA.
But I can’t imagine individuals will be able to sue since theres no financial loss.
ash_ninetyone on
If I wanted to make an assumption, did the developers of those systems introduce AI-aided coding?
Because you have to have a major screw-up or really bad devs if your system starts showing mismatched account IDs
Informal_Arachnid_84 on
My bank has sent me a dozen or so messages to tell me that I have gone over my overdraft limit. I hope not, I got paid today and I’m still in bed.
One-Program6244 on
These are three separate banks aren’t they? Are they linked in a business sense? Does one own another?
Timely_Note_1904 on
Not the first time a bank has had a caching issue. You’d think this would be one of the scenarios in their automated testing before releasing any change. Bank account logins are an example of a place you shouldn’t be caching anything, it shouldn’t be too hard to avoid.
FourJaffacakes on
Why do I get the feeling this is going to be because of a ‘Vibe Coded’ change they have done recently…
lastaccountgotlocked on
Not a problem for me, i buy all my dildos through a company called Bobby’s Bits. Nobody’s the wiser.
let_me_atom on
Having just opened an account with Lloyds and having accounts with multiple other banks, there’s something deeply amateurish about their app and whole digital banking infrastructure, so this is absolutely no surprise.
Cumulus-Crafts on
This’ll be interesting to see how much they’re fined for this GPDR breach
chaosxq on
Ha ha. As a smug IT professional myself, how is that outsourcing of IT looking now ya dick heads!?
Oh shit. I am with Lloyds!
“The incident has been quickly resolved”
No it has not! You just shut the app down.
justthrowa2 on
This is a massive failure of basic data security. Cutting corners on IT testing to save money is exactly how these completely preventable breaches happen. The fines for this should be absolutely massive.
PolarLocalCallingSvc on
> The 55-year-old also reported being able to view benefits payments from the Department of Work and Pensions (DWP), which use the National Insurance numbers of recipients as a payment reference.
I’ve never been on benefits and didn’t realise this was a thing.
To me this seems… unwise?
DWP should surely have an identifier for an individual which isn’t their NI number, which they could use in payment references if they really needed to, which may only be pseudoanonymisation but still would make it more difficult to commit fraud from finding somebody’s bank statement lying around.
I’m not even sure why their payments need any individual identifiers rather than payment identifiers.
_x_oOo_x_ on
Amex was doing this too, about 2 years ago. Globally I might add (I saw the transactions of a user from another country). No idea if they’ve ever been fined or even acknowledged the issue officially
foodieshoes on
Unbelievable that something like this can happen in ~~2025~~ 2026, 1000x more so as a bank.
Did some vibe-coding intern forget to run their tests before hitting deploy or something.
So do we think: crappy code release? f—ked caching strategy? session clashes?
Powerful_Set_2350 on
At what point should we be concerned that transactions are not going to be executed in another account?
Eg. Withdrawing £100 from an ATM is deducted from a random account?
TheKnightsRider on
Last week Barclays was showing 6 transactions to NowTv in regular payments. Called them as ive never used it and thought my card might have been cloned, oh its just an error and you’ve not been charged.
They’re not alone in the shitness
Joshposh70 on
Sounds like someone screwed up the caching rules on their load balancers. Won’t be the first and won’t be the last.
FelisCantabrigiensis on
I am highly confident the failure mode is in the session authentication system at Lloyds.
The way nearly every such application/website authenticates you is that you go to an authentication system which issues you a session token that authorises you to see certain information for a certain time. Your app or browser then presents this session token every time you interact with the bank’s systems (or the social network, or so on).
If that system hands out wrong session tokens, then you get access to other information that you are not intended to get access to. Often that is either a bug in the authentication code or, more perniciously, data corruption in the session data store (due to different bugs) so that correct tokens are generated and stored but wrong tokens are retrieved and given to you.
This has happened before and it will happen again. The idea that it’s absolutely impossible and everyone responsible must clearly be executed on the spot, which seems to be the tone of some other comments, is not quite the reality of the situation.
(Source: 20+ years working on such systems)
caractacusbritannica on
Wow.
A few years ago we changed mortgage provider. Paid off our mortgage.
When we asked for the paperwork and redemption certificates they said they’d been sent.
They didn’t turn up. We then asked where were they sent, thinking maybe broker/new lender.
Nope a completely random address across the country. We asked for explanation and complained. We weren’t overly upset, but found it odd and just wanted to know why.
They gave us £250 and said they were unable to explain why they had been sent there. It seemed the system merged our address/account with a new application. They literally called it an unexplained error!
I’m thinking that the £250 wasn’t enough.
LargeLetter1 on
“We made our experienced developers redundant and relocated all our development to Hyderabad. What could possibly go wrong”.
Why after years of these kind of failures do highly paid execs still think it’s cheaper to off shore and experience a massive reputational risk and fine from the regulators?
Who ever signed this off should be named, shamed and have their bonus given to charity.
ramirex on
when you fire most of devs and leave one guy to vibecode everything this is what you get
25 Comments
Never going to live it down if people find out I subscribe to a My Little Pony magazine
Massive GDPR breach. They need to be heavily fined for this.
Too many companies are cutting back on quality control of their IT systems in order to save a few quid. This is a preventable customer data breach.
more and more outages, incidents and security breaches.
take your pick from headcount reduction, outsourcing, AI slop-coding and AI slop-devops.
Well they’ve locked down the apps for now from the looks of it so good luck if you’re with Lloyds group and need to make a transfer this morning
Incoming massive fine from the ICO and probably the FCA.
But I can’t imagine individuals will be able to sue since theres no financial loss.
If I wanted to make an assumption, did the developers of those systems introduce AI-aided coding?
Because you have to have a major screw-up or really bad devs if your system starts showing mismatched account IDs
My bank has sent me a dozen or so messages to tell me that I have gone over my overdraft limit. I hope not, I got paid today and I’m still in bed.
These are three separate banks aren’t they? Are they linked in a business sense? Does one own another?
Not the first time a bank has had a caching issue. You’d think this would be one of the scenarios in their automated testing before releasing any change. Bank account logins are an example of a place you shouldn’t be caching anything, it shouldn’t be too hard to avoid.
Why do I get the feeling this is going to be because of a ‘Vibe Coded’ change they have done recently…
Not a problem for me, i buy all my dildos through a company called Bobby’s Bits. Nobody’s the wiser.
Having just opened an account with Lloyds and having accounts with multiple other banks, there’s something deeply amateurish about their app and whole digital banking infrastructure, so this is absolutely no surprise.
This’ll be interesting to see how much they’re fined for this GPDR breach
Ha ha. As a smug IT professional myself, how is that outsourcing of IT looking now ya dick heads!?
Oh shit. I am with Lloyds!
“The incident has been quickly resolved”
No it has not! You just shut the app down.
This is a massive failure of basic data security. Cutting corners on IT testing to save money is exactly how these completely preventable breaches happen. The fines for this should be absolutely massive.
> The 55-year-old also reported being able to view benefits payments from the Department of Work and Pensions (DWP), which use the National Insurance numbers of recipients as a payment reference.
I’ve never been on benefits and didn’t realise this was a thing.
To me this seems… unwise?
DWP should surely have an identifier for an individual which isn’t their NI number, which they could use in payment references if they really needed to, which may only be pseudoanonymisation but still would make it more difficult to commit fraud from finding somebody’s bank statement lying around.
I’m not even sure why their payments need any individual identifiers rather than payment identifiers.
Amex was doing this too, about 2 years ago. Globally I might add (I saw the transactions of a user from another country). No idea if they’ve ever been fined or even acknowledged the issue officially
Unbelievable that something like this can happen in ~~2025~~ 2026, 1000x more so as a bank.
Did some vibe-coding intern forget to run their tests before hitting deploy or something.
So do we think: crappy code release? f—ked caching strategy? session clashes?
At what point should we be concerned that transactions are not going to be executed in another account?
Eg. Withdrawing £100 from an ATM is deducted from a random account?
Last week Barclays was showing 6 transactions to NowTv in regular payments. Called them as ive never used it and thought my card might have been cloned, oh its just an error and you’ve not been charged.
They’re not alone in the shitness
Sounds like someone screwed up the caching rules on their load balancers. Won’t be the first and won’t be the last.
I am highly confident the failure mode is in the session authentication system at Lloyds.
The way nearly every such application/website authenticates you is that you go to an authentication system which issues you a session token that authorises you to see certain information for a certain time. Your app or browser then presents this session token every time you interact with the bank’s systems (or the social network, or so on).
If that system hands out wrong session tokens, then you get access to other information that you are not intended to get access to. Often that is either a bug in the authentication code or, more perniciously, data corruption in the session data store (due to different bugs) so that correct tokens are generated and stored but wrong tokens are retrieved and given to you.
This has happened before and it will happen again. The idea that it’s absolutely impossible and everyone responsible must clearly be executed on the spot, which seems to be the tone of some other comments, is not quite the reality of the situation.
(Source: 20+ years working on such systems)
Wow.
A few years ago we changed mortgage provider. Paid off our mortgage.
When we asked for the paperwork and redemption certificates they said they’d been sent.
They didn’t turn up. We then asked where were they sent, thinking maybe broker/new lender.
Nope a completely random address across the country. We asked for explanation and complained. We weren’t overly upset, but found it odd and just wanted to know why.
They gave us £250 and said they were unable to explain why they had been sent there. It seemed the system merged our address/account with a new application. They literally called it an unexplained error!
I’m thinking that the £250 wasn’t enough.
“We made our experienced developers redundant and relocated all our development to Hyderabad. What could possibly go wrong”.
Why after years of these kind of failures do highly paid execs still think it’s cheaper to off shore and experience a massive reputational risk and fine from the regulators?
Who ever signed this off should be named, shamed and have their bonus given to charity.
when you fire most of devs and leave one guy to vibecode everything this is what you get