Security messages

September 9th, 2025 – Connection issues and missing historical transactions

Between 2025-09-03 09:00:00 and 2025-09-05 13:10:00 UTC the responses on the /transactions endpoint were incomplete resulting in some transactions to be missing.

For accounts connected before 2025-09-03 09:00:00 UTC complete data is returned if you request /transactions again. Reconnecting accounts is not required in these cases.

However, a portion of accounts connected between 2025-09-03 09:00:00 and 2025-09-05 13:10:00 UTC will have some historical transactions missing in the responses). In order to get the full history of transactions, the accounts must be reconnected.

Other types of data, such as balances, details, and metadata are not affected. The last 30 days of transactions will be intact also for accounts connected during the incident timeframe if you sync data again without reconnection.

In case this may be helpful, we are happy to provide a detailed list of accounts and requisitions that have been affected in your account, and might require further action (for example, asking the end user to reconnect).

We sincerely apologise for the inconvenience caused and are ready to answer any questions you might have.

May 6th, 2024 – Security alert for all bank account data clients

An error occurred in the GoCardless request caching on the Bank Account Data API and Portal between 13:15-14:30 UTC on 25 April 2024. There is a low risk of any customer data having being compromised.

Risk of data vulnerability
Caching is a software component that stores data so that future requests for that data can be served faster. An internal error in the set up of https request caching means that your users‘ data was vulnerable to other GoCardless Bank Account Data users for a 75 minute period. The data includes IBANs, names of account holders, account details, balances, and transaction history. 

For someone to have accessed data, they would have needed the UUID (account_id). This can only be obtained from /requisitions/<requisition_id>/ or /requisitions/ endpoints.

If you did not use the /requisitions/<requisition_id>/ or /requisitions/ endpoint between 13:15 – 14:30 UTC the likelihood of another user obtaining the ID’s necessary to query and access your resources is extremely low. We also confirm that there have been no attempts to scan or brute force the UUIDs in the timeframe of vulnerability.

Actions taken by GoCardless
As soon as the issue was detected, GoCardless turned off the caching putting an immediate stop to generating new caches and the returned caches dropped off in the following minutes.

GoCardless immediately launched an internal investigation and have since reported it to the Privacy Regulator in France (CNIL) following all of the necessary protocols.

In the unlikely event that a user’s data was accessed:

IBAN information could be used to set up a Direct Debit. In this instance there is protection in place under the Direct Debit Guarantee or scheme equivalent. 

Transaction history may expose a partially masked card number, including the first 6 and last 4 digits. This information, along with personal details such as full name and address, could be tested and used for unauthorised card payments.  
Unauthorised credit checks could be made against their name and address details

GoCardless recommend that you check your accounts and flag any suspicious activity to their bank.

If you recognise any unauthorised activity through the GoCardless platform and you would like GoCardless to add any restrictions to the bank account used, please feel free to contact bank-account-data-support@gocardless.com or help@gocardless.com and GoCardless will ensure bank accounts are restricted and credit checks are removed.