A glitch on Companies House’s website has allowed people to access directors’ personal and business details, potentially exposing them to fraud.
The UK’s official corporate register has now suspended its online filing service after it was alerted to the issue on Friday (Mar 13).
A vulnerability in the service allowed people to access other companies’ details by pressing the back key on their site’s dashboard.
Data that could reportedly be viewed because of the glitch included directors’ home addresses, email addresses, and dates of birth.
Companies House was alerted to the issue on Friday by Dan Neidle, founder of Tax Policy Associates, after being told by John Hewitt at Ghost Mail, a business services provider, reported The Times.
Neidle said the glitch could be ‘very serious’ if it was in place for a long time, adding it was an ‘absolutely insane vulnerability in how easy it is to find’.
He told the Press Association: ‘People could get enough data about a company and its directors to potentially commit fraud – to pretend to be it.
‘Even worse, they could change the address to their address so they could pick up documents and, if you could file accounts, you could do all kinds of damage.’
Discussing the glitch, Neidle added: ‘If it was only there for 36 hours, then maybe it’s fine.
‘But if it was there for a month or more, it’s very serious.
‘Security researchers say 15 days is the average time it takes for a vulnerability to be exploited, and this was a particularly easy vulnerability with no hacking required.’
In a statement issued on Monday (Mar 16) afternoon, Companies House said the issue was ‘not accessible to the general public. Only users with an authorised code and logged in to the service could have performed this action’.
It added: ‘Passwords were not compromised; no data used as part of our identity verification process, such as passport information, was accessed; no existing filed documents, such as accounts or confirmation statements could have been altered.
‘We believe that this issue could not have been used to extract data in large volumes or to access records systematically. Any access would have been limited to individual company records, viewed one at a time by a registered WebFiling user.’
Companies House said it has reported the incident to the information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC), and that if it finds evidence of individuals accessing or changing another company’s details without authorisation, it would take ‘firm action’.
CEO of Companies House, Andy King, also issued an apology, which read: ‘I recognise that this incident will have caused concern and inconvenience to many of the companies and individuals who rely on our services. I am sorry for that.
‘Companies House takes its responsibility to protect the data entrusted to us extremely seriously. We have taken swift action to secure and restore our service, and are committed to doing everything in our power to support those affected and to making sure that our services continue to merit the trust placed in them.’
In guidance for affected customers, Companies House stated: ‘If you miss your filing deadline due to the service being unavailable, there’s no need to call us.
‘File as soon as you can once the service is available, and take a screenshot of any error messages and note the time and date. We’ll take this evidence into account if you cannot file.’
Under the Computer Misuse Act 1990, unauthorised access to computer material carries a maximum prison sentence of two years, and the penalty increases to up to five years for accessing data with the intent to commit further offences, such as fraud.
Companies House maintains records of more than five million companies, including large FTSE 100 companies such as AstraZeneca, Shell, and Tesco.
Story updated, Mar 16, 14:50
