How a Lloyds Data Breach Exposed Half a Million Users

In 2026, when the cybersecurity world is focussed on the security threats posed by bad actors, a major data breach was caused by a few lines of unassuming code.

This data breach happened at Lloyds Banking Group – one of the UK's largest financial services providers – on 12 March 2026, when customers were able to view sensitive data belonging to other users. 

Around half a million customers were impacted by a glitch that revealed sensitive data including transactions, sort code, account numbers and even National Insurance numbers. 

In some cases, even data belonging to users of other banks was visible, in the instance where the payment was made to account holders of a different bank.  

What resulted was a serious panic among customers of Lloyds, Halifax and Bank of Scotland, as users took to social media with speculation of potential fraud and hacking. 

In a letter to parliament, Jasjyot Singh OBE, CEO of Consumer Relationships at Lloyds Bank notes that: “Although this information should not have been visible, customers’ account balances were not affected and customers were not able to perform unauthorised actions or move money on anyone else’s account.”

The banking giant compensated 3,625 customers with a goodwill payment of £139,000 (US$185,000). 

What caused the incident?

Jasjyot notes in the letter that the incident was caused by an “IT change made overnight between 11 and 12 March which introduced a software defect”. 

This glitch meant that when a customer sent a request to view their current account transactions, the data belonging to them was visible to other customers who were also in the system viewing their own transactions.

“We have established that the defect was in the design of the code used to update the application programme interface (API) used by the app,” Jasjyot reveals. 

“While no organisation is immune to incidents, what matters most is how resilience is designed into the operating model from the outset; across technology, processes, people and decision-making,” notes Krista Griggs, Global Account Director at GFT Technologies on her LinkedIn. 

“The goal isn’t just recovery when things go wrong, but reducing the likelihood and impact of issues in the first place.

“In this case, Lloyds acted swiftly and responsibly, reinforcing how strong response capabilities play a critical role in maintaining consumer trust. 

“But the real lesson for the industry is the same as it has been for some time: resilience can’t be bolted on.

“It has to be a core part of the operating system.”

Digital security, resilience and honesty 

The incident prompted an apology from Lloyds who responded on social media after the incident noting that: “We’re really sorry – the issue was fixed quickly and there’s no action needed. We’re reviewing what happened to make sure it doesn’t happen again.”

“Modern banking methods mean we can now perform a variety of tasks on our phones in a matter of seconds and almost anywhere,” says UK Treasury Select Committee Chair, Dame Meg Hillier.

“What this incident brings into focus is the fact that there is a trade-off.”

Further commentary from Danilo D'Auria, Director of IT at InterRegs on his LinkedIn reads: “Years of trust – gone in four hours.”

“A single software defect introduced during an overnight update exposed the personal data of nearly half a million banking customers.

“No malicious actors, no external breach, just a few lines of flawed code.”

“This is not a story about Lloyds alone. It is a story about the hidden fragility in every organisation that has bet heavily on digital transformation – shifting customers from physical touchpoints to apps and platforms that run on software updated overnight, often without visible ceremony.

“Years of brand equity, customer loyalty and regulatory goodwill can be compromised in the space of a single failed deployment. The technical window was under five hours. The reputational and regulatory consequences will last considerably longer.”

Danilo adds that: “The organisations that recover fastest from incidents like this are not those with the fewest failures. They are those with the most practised response. 

“Failure is a when, not an if. The gap between a manageable incident and a reputational crisis is almost always the speed and honesty of the response.”