March 16, 2026
Banking Glitch and Health Data Leaks Draw Regulatory Attention and Calls for Accountability
A technical fault at Lloyds Banking Group briefly exposed customers’ financial transactions to other users, while a Guardian investigation revealed that health records from UK Biobank had been leaking onto public platforms for years, two incidents that have put institutional data handling under regulatory and public pressure.
On the morning of 12 March, customers of Lloyds Bank, Halifax, and Bank of Scotland reported being able to view transaction records belonging to other account holders through the banks’ mobile and online platforms.
While previous outages at the group had typically prevented customers from accessing their own accounts, this incident was unusual because it exposed other people’s transaction information.
Inside the Glitch
Customers reported seeing incoming and outgoing transactions with shop names and recipient names, card transaction locations, amounts, the last four digits of cards used, and direct debit reference numbers. One Bank of Scotland customer was able to view the accounts of six different users over 20 minutes, including National Insurance numbers surfaced through DWP benefits payments.
Another said he could scroll through a stranger’s full account history month by month, including car registration numbers visible in DVLA direct debit references. Several customers described assuming their own accounts had been cloned or compromised before understanding what had actually happened.
Lloyds Banking Group confirmed that some customers had been incorrectly shown other people’s information, and stated that nobody had gained access to other customers’ accounts. The group said it was reviewing what happened to ensure the issue could not recur. The Financial Conduct Authority said it was in contact with Lloyds Banking Group to understand what had happened and how it was being resolved.
The group has not disclosed how many customers were affected, and has not confirmed whether it notified the Information Commissioner’s Office.
The Long Leak
The Biobank story is different in nature but shares the same core problem: personal data reaching people it was never meant to reach. A Guardian investigation published on 14 March found that confidential health data from UK Biobank had been posted publicly online on dozens of occasions, the result of researchers accidentally uploading datasets alongside analysis code on GitHub. UK Biobank prohibits researchers from sharing data outside its systems.
One dataset found online contained hospital diagnoses and associated diagnosis dates for approximately 413,000 participants, along with sex, birth month and year. Although names and addresses were not included, the Guardian tested re-identification risk with a volunteer’s consent.
Between July and December 2025, UK Biobank issued 80 legal notices to GitHub requesting the removal of data, leading to approximately 500 repositories being taken down, though some data remained available online. UK Biobank’s chief executive said the organisation had seen no evidence of any participant being re-identified, and maintained that data provided to researchers contains no direct identifiers. The organisation has since introduced additional researcher training and begun proactively monitoring GitHub for exposed files.
Beyond Cybersecurity
What connects both incidents is not their scale or their sector, but their cause. One was a software fault that routed the wrong data to the wrong users, while the other was repeated human error by researchers who had been trusted with access to sensitive records. This points to a category of risk that technical security investment alone cannot address.
According to the 2026 Integris Banking Trust and Technology Report, almost 90% banking customers trust their institution to protect their personal and financial data, but 67% say they would likely switch banks after a serious breach. Trust of that kind is not automatically resilient. Incidents that place personal data outside a customer’s control, however briefly, carry consequences that outlast the technical resolution.
