U.K. digital bank Monzo Bank Ltd. is asking some 480,000 customers to change their personal identification numbers after it left them exposed to unauthorized staff for six months.

The potential breach was caused by what the bank described as a bug that exposed the PINs in log files that could be seen by engineers working for the company. The issue causing the PIN exposure was detected on Friday and rectified by Saturday morning and any incorrectly stored PINs deleted by Monday morning.

Monzo emphasized in a blog post Sunday that no one outside of the bank itself had access to the PINs but said it advised the PIN reset to be on the safe side. The 480,000 customers affected represent less than a fifth of Monzo customers in tota,l although it’s not clear why some customers and not others had their PINs potentially exposed.

Launched in 2015, Monzo has been a success story in the U.K., having grown to around 2.5 million customers with strictly digital-only banking services through its app on iOS or Android. It was reported in June that it was in talks to expand to the U.S., including setting up a development office in Los Angeles.

“This incident highlights that security teams at companies, especially those companies that handle highly sensitive consumer data as Monzo does, must do better to protect the integrity of that data,” Attila Tomaschek, data privacy advocate at ProPrivacy.com, told SiliconANGLE.

“Luckily, this particular incident was relatively small in scale with only half a million people affected and without potentially devastating fraudulent repercussions,” Tomaschek noted. “The incident can also be a lesson to consumers of such banking technology to keep a close eye on their account activity, to protect their accounts with PINs that are difficult to guess, to change those PIN numbers regularly, and to keep their banking apps updated to the latest versions to ensure proper security.”

Photo: Monzo