Zack Whittaker1d ago

A Lloyds banking app glitch allowed almost half-a-million people to access the bank transactions from *other* banking customers.

Per a letter from its CEO, "a customer had to access their own list of transactions within small fractions of a second of another person doing the same." 👀

Asking the infosec hivemind. Was this security event a race condition or classified as something else? And why do these data leaks seem to happen often at banks or financial companies?

https://www.theregister.com/2026/03/27/lloyds_app_glitch_turned_transactions/

Lloyds app glitch turned transactions into shared experience for 447k users

: A botched update mixed up transaction data across accounts, with thousands now receiving goodwill payouts

The Register
Show threadderekheld1d ago
@zackwhittaker sounds like cache key problem. They were caching using the wrong logic which returned incorrect results to different user sessions. I would hazard a guess that specific API route was not supposed to have caching but someone accidentally enabled it.
Show threadC S1d ago
@derekheld @zackwhittaker this, or the API was using concurrency-unsafe functions which allowed local variables (the "cached" data) from one thread to be exposed to another thread. Either way, it still boils down to a caching problem.
Show threadZack Whittaker
@claus @derekheld interesting, i'll look into this more. i appreciate you both taking the time to reply!
Mar 27 at 1:47pmWeb