Madeleine Ross

BREAKING: The Word “Glitch” Is Doing the Heaviest Lifting in British Banking Today This morning, customers of Lloyds, Halifax, and Bank of Scotland opened their banking apps and found themselves staring at the complete financial lives of total strangers. Transaction histories. Account numbers. Sort codes. National Insurance numbers. DWP benefit payments. English wages appearing in Scottish accounts. Pub tabs in Newcastle showing up in Wales. One Bank of Scotland customer cycled through six different people’s full account details in twenty minutes, each refresh serving a new stranger’s financial identity like a slot machine of personal data. The banks called it a “technical glitch” and told customers not to worry. Halifax’s official response on X was to suggest logging out and back in. Lloyds asked users to “bear with them.” Bank of Scotland said they were “investigating.” Let me translate this from institutional euphemism into plain language. A banking group serving over 26 million customers had a backend failure that served authenticated financial data, including government-issued identity numbers, to random sessions. In any jurisdiction with functioning data protection enforcement, this is not a glitch. This is a reportable data exposure event under UK GDPR. The Information Commissioner’s Office requires notification within 72 hours of any breach involving personal data that poses a risk to individuals’ rights. National Insurance numbers are the skeleton key to identity fraud in Britain. They unlock tax records, benefit claims, credit applications, and pension access. Every single NI number that appeared on a stranger’s screen this morning is now a compromised credential, regardless of whether the display bug has been “quickly resolved.” The precedent is instructive. In April 2018, TSB suffered a similar failure during an IT migration from the same parent infrastructure. Lloyds Banking Group’s systems. Customers could see other people’s accounts, access funds that were not theirs, and were locked out for months. The FCA and PRA fined TSB £48.65 million. Over 225,000 complaints were filed. £32.7 million in redress was paid. The CEO was forced out. And that failure originated in a planned migration with known risk parameters. This morning’s incident at Lloyds Banking Group was not a planned migration. It was a spontaneous failure in production systems that randomly distributed live financial identities to authenticated but unrelated sessions. The fact that it was brief does not reduce the severity. It increases it. A planned migration that goes wrong reveals poor execution. A production system that spontaneously begins serving random customer data to random sessions reveals something about the underlying architecture that no amount of “quickly resolved” can address. Every customer who saw a stranger’s NI number this morning received proof that the verification promise underpinning digital banking, the promise that authentication equals isolation, failed silently and completely. The banks say your account is safe. What they mean is the display error has been corrected. These are not the same statement. The question is not whether it was fixed. The question is whether anyone took screenshots during those twenty minutes. And whether the ICO and FCA will treat this as what it is.