What happened at Lloyds
On the morning of 12 March 2026, a software update went wrong at Lloyds Banking Group. A coding error in their mobile banking app meant that some customers could see other people’s transactions when they logged in.
The problem lasted roughly five hours, from around 03:28 to 08:08 that morning. It affected the Lloyds Bank, Halifax, and Bank of Scotland apps - all part of the same banking group.
How big was the breach
Out of 21.5 million mobile banking users, around 1.67 million logged in during the affected window. Lloyds estimates that up to 447,936 customers may have seen other people’s transaction lists, including payment amounts, dates, and references.
More worryingly, up to 114,182 customers could have seen detailed payment information - sort codes, account numbers, and text entered alongside payments. That text sometimes includes sensitive details like National Insurance numbers or vehicle registrations.
Lloyds has paid around £139,000 in goodwill payments to roughly 3,625 customers so far. The bank reported the incident to the Information Commissioner’s Office (ICO) - the UK’s data protection regulator - within the required 72-hour window.
Why this matters for your business
Most small and medium-sized businesses assume their data is safe with a major bank or well-known supplier. This incident proves that assumption wrong. If a bank with thousands of engineers and billions in revenue can push a faulty update that exposes customer data for five hours, any supplier can.
The key lesson is not that Lloyds is careless. It is that no organisation is immune to mistakes, and your business needs a plan for when a supplier lets you down.
Key takeaway: You cannot outsource responsibility for your data. Under UK data protection law, your business remains accountable for personal data even when a third party handles it.
Step 1 - Check if your business is affected
If your business uses Lloyds, Halifax, or Bank of Scotland for business banking, take these steps now:
- Check your app activity. Did anyone in your team log into the mobile banking app between 03:28 and 08:08 on the morning of 12 March? If so, there is a chance your business transactions were visible to others.
- Look for notifications. Lloyds has been contacting affected customers directly. Check your email, app notifications, and post for any correspondence.
- Contact the bank. If you are unsure whether your business was affected, call Lloyds’ dedicated line or speak to your business relationship manager. Ask for written confirmation of whether your accounts were involved.
- Check for unusual activity. While this was a viewing issue rather than a theft, exposed sort codes and account numbers could be used in fraud attempts. Review your recent transactions carefully.
Step 2 - Understand your rights under UK data protection law
The UK General Data Protection Regulation (UK GDPR) - the set of rules that governs how organisations handle personal data - gives your business clear rights when a breach occurs.
Your right to be informed. If your personal or business data was exposed, the organisation responsible must tell you without undue delay. They must explain what happened, what data was involved, and what they are doing about it.
Your right to compensation. If you have suffered material damage (financial loss) or non-material damage (distress, anxiety) as a result of a breach, you may be entitled to compensation. Lloyds’ goodwill payments so far have averaged around £38 per affected customer, but you are not obliged to accept an initial offer.
Your right to complain. You can raise a complaint directly with the ICO if you believe your data has been mishandled. The ICO can investigate and take enforcement action, including fines of up to £17.5 million or 4% of annual turnover for serious breaches.
Step 3 - Review your supplier agreements
This incident is a good prompt to look at how your business manages supplier risk more broadly. You do not need a legal team to ask some basic questions.
Do your contracts cover data breaches? Any supplier that handles personal data on your behalf - whether that is a bank, a payroll provider, a cloud storage service, or an email platform - should have clear terms about what happens when things go wrong. Look for clauses that require them to notify you promptly if a breach occurs.
Are your suppliers required to tell you quickly? Under UK GDPR, a data processor (a supplier handling data on your behalf) must notify you without undue delay after becoming aware of a breach. Your contract should reflect this.
Do you know where your data is? Many businesses use suppliers without fully understanding what data those suppliers hold. Make a simple list of every supplier that has access to personal data - staff records, customer details, payment information - and note what data they hold and where it is stored.
Key takeaway: If you cannot list the suppliers that hold your business data and what they hold, that is your first action item.
Step 4 - Build a third-party incident response checklist
You do not need a 50-page policy document. A simple checklist that your team can follow when a supplier reports a problem is enough. Here is a starting point:
| Step | Action | Who |
|---|---|---|
| 1 | Get written details from the supplier - what happened, what data was involved, how many people affected | Account manager or owner |
| 2 | Assess the risk - could this lead to fraud, identity theft, or financial loss for your staff or customers? | Owner or office manager |
| 3 | If the risk is high, report to the ICO within 72 hours via ico.org.uk | Owner or data lead |
| 4 | Notify affected individuals if there is a high risk to their rights | Owner or office manager |
| 5 | Document everything - dates, communications, decisions made, and why | Office manager |
| 6 | Change passwords and access credentials for the affected supplier | IT contact or managed IT provider |
| 7 | Review whether to continue with the supplier or explore alternatives | Owner |
Print this out. Pin it somewhere visible. When the next incident happens - and it will - you will not be scrambling to figure out what to do.
Step 5 - Strengthen your defences going forward
You cannot prevent a supplier from making a mistake, but you can reduce the damage when it happens.
Limit what you share. Only give suppliers the data they genuinely need. If your bank does not need your staff’s personal email addresses, do not include them in payment references.
Use separate accounts where possible. If your business banking app is on a shared device, consider whether each user needs their own login. This limits exposure if one account is compromised.
Turn on alerts. Most business banking apps let you set up notifications for transactions over a certain amount. If someone misuses exposed account details, you will spot it faster.
Ask your IT provider about monitoring. A managed IT provider can help you set up monitoring across your business systems so that unusual activity - like unexpected logins or data access - gets flagged quickly.
The bigger picture
The Lloyds incident is a reminder that data protection is not just about what happens inside your own business. Every supplier, every app, every cloud service you use is a link in a chain. One weak link can expose your data.
The good news is that you do not need to be a technology expert to manage this risk. You need a list of your suppliers, clear agreements about data handling, and a simple plan for when things go wrong.
If you are not sure where to start, a managed IT provider can help you audit your supplier relationships, tighten up your data handling, and put an incident response plan in place - before the next breach makes the headlines.
Key takeaway: The question is not whether a supplier will have a data incident. It is whether your business is ready when it happens.
Need help reviewing your supplier data agreements and building an incident response plan? Talk to our team.
Learn more →Topics