A tech update made in the autumn is thought to have introduced a vulnerability that enabled users to access information on their rival firms, and even make unauthorised business filings
Companies House has urged all of the UK’s five million registered businesses to check their online data and records of official submissions following a “security issue” lasting five months in which unauthorised users may have been able to access and amend information.
On Friday 13 March, Companies House “was made aware” of the issue, which enabled users of the organisation’s WebFiling service to “potentially access and change some elements of another company’s details without their consent”. This access could be gained by pressing the back button four times, it has been reported. The issue is thought to have been caused by an update made in October.
In an update published on Monday, the government body said: “Our investigation has established that specific data from individual companies not normally published on the Companies House register may have been visible to other logged-in WebFiling users. This includes dates of birth, residential addresses and company email addresses. It may also have been possible for unauthorised filings — such as accounts or changes of director — to have been made on another company’s record.”
As well as millions of firms, the company register also holds records of more than 13 million individual appointments of directors and major shareholders.
Following the incident – which resulted in the closure of the WebFiling service for the entire weekend – businesses throughout the UK are instructed to double check their information to see if it may have been compromised or altered.
“We are asking all companies to check their registered details and filing history to make sure everything appears correct,” Companies House said. “If a company has a concern, please raise a complaint and include evidence to describe the concern.”
The organisation stressed that “we have no reports at this stage of data having been accessed or changed without permission – however, our investigation is ongoing”.
“We’ll provide further updates as our work progresses and we remain committed to being transparent throughout,” it added.
Related content
- Companies House: One in 16 appointments verified in first six weeks of year-long process
- New Companies House CEO Andy King to ‘advance change programme’
- Companies House working on ‘alternative options’ ahead of mandatory One Login checks for directors
The incident has been reported to both the Information Commissioner’s Office and the National Cyber Security Centre, while Companies House itself is “actively analysing our data to identify any anomalies, and we’ll be emailing every company’s registered email address to explain how to check their details and what steps to take if they have any concerns”.
“If we find evidence that anyone has used this issue to access or change another company’s details without authorisation, we will take firm action,” it said.
The business registry, which operates as an executive agency of the Department for Business and Trade, said that it has ascertained that existing filed documents were not affected during the incident, nor were passwords and data related to identity verification – such as passport details.
“We believe that this issue could not have been used to extract data in large volumes or to access records systematically,” Companies House added. “Any access would have been limited to individual company records, viewed one at a time by a registered WebFiling user.”
The organisation’s statement concluded with a personal apology from chief executive Andy King.
“I recognise that this incident will have caused concern and inconvenience to many of the companies and individuals who rely on our services. I am sorry for that,” he said. “Companies House takes its responsibility to protect the data entrusted to us extremely seriously. We have taken swift action to secure and restore our service, and are committed to doing everything in our power to support those affected and to making sure that our services continue to merit the trust placed in them.”
