Security messages

May 6th, 2024 – Security alert for all bank account data clients

An error occurred in the GoCardless request caching on the Bank Account Data API and Portal between 13:15-14:30 UTC on 25 April 2024. There is a low risk of any customer data having being compromised.

Risk of data vulnerability
Caching is a software component that stores data so that future requests for that data can be served faster. An internal error in the set up of https request caching means that your users‘ data was vulnerable to other GoCardless Bank Account Data users for a 75 minute period. The data includes IBANs, names of account holders, account details, balances, and transaction history. 

For someone to have accessed data, they would have needed the UUID (account_id). This can only be obtained from /requisitions/<requisition_id>/ or /requisitions/ endpoints.

If you did not use the /requisitions/<requisition_id>/ or /requisitions/ endpoint between 13:15 – 14:30 UTC the likelihood of another user obtaining the ID’s necessary to query and access your resources is extremely low. We also confirm that there have been no attempts to scan or brute force the UUIDs in the timeframe of vulnerability.

Actions taken by GoCardless
As soon as the issue was detected, GoCardless turned off the caching putting an immediate stop to generating new caches and the returned caches dropped off in the following minutes.

GoCardless immediately launched an internal investigation and have since reported it to the Privacy Regulator in France (CNIL) following all of the necessary protocols.

In the unlikely event that a user’s data was accessed:

IBAN information could be used to set up a Direct Debit. In this instance there is protection in place under the Direct Debit Guarantee or scheme equivalent. 

Transaction history may expose a partially masked card number, including the first 6 and last 4 digits. This information, along with personal details such as full name and address, could be tested and used for unauthorised card payments.  
Unauthorised credit checks could be made against their name and address details

GoCardless recommend that you check your accounts and flag any suspicious activity to their bank.

If you recognise any unauthorised activity through the GoCardless platform and you would like GoCardless to add any restrictions to the bank account used, please feel free to contact bank-account-data-support@gocardless.com or help@gocardless.com and GoCardless will ensure bank accounts are restricted and credit checks are removed.