A broken access control defect (CWE-284, CWE-639, IDOR pattern) in Lloyds Banking Group’s shared mobile banking backend exposed transaction histories and personal financial data for approximately 447,000 customers across Lloyds, Halifax, and Bank of Scotland brands, with no external attack vector or credential theft involved. The exposure is an internal authorization failure consistent with insecure direct object reference, allowing authenticated sessions to retrieve other customers’ records; no unauthorized fund transfers were reported but UK GDPR Article 33 notification obligations and FCA reporting requirements are triggered. Organizations operating multi-tenant or multi-brand mobile banking backends should audit API endpoint authorization logic for IDOR patterns per OWASP API1:2023 (Broken Object Level Authorization) and validate that server-side authorization checks are enforced on every data retrieval call, not solely at the token-presence layer.