Leader of ALB tells committee that, while no anomalous activity has yet been identified following discovery of security flaw, anyone found to have made unauthorised filings can expect ‘firm action’

The chief executive of Companies House has said that he is engaged in work on “developing a case for investment to modernise” legacy systems after a security issue may have exposed users’ data over a period of five months.

Earlier this month, Companies House became aware of a flaw – believed to have been cause by an update undertaken in October – which allowed all users to “potentially access and change some elements of another company’s details without their consent”. This access could be gained by pressing the back button four times, it has been reported.

After the issue was discovered, the organisation’s online WebFiling service was shut down for several days, after which all of the UK’s five million registered businesses were advised to check their online data and records of official submissions.

In an update sent to parliament’s Business and Trade Committee after the digital service was reopened, Companies House chief executive Andy King said that “we are undertaking extensive analysis of system records to identify any anomalous activity, [and] this has yet to identify any unauthorised changes, but investigations are ongoing”.

If any users are found to have made unauthorised updates to another firm’s information, the government body will take “firm action” against them, the CEO pledged.

King told MPs that: “We continue to investigate the circumstances that led to this issue. Indicative findings suggest that the issue was caused by an application defect which was not identified during testing or by peer review.”

Related content

• Companies House: One in 16 appointments verified in first six weeks of year-long process
• New Companies House CEO Andy King to ‘advance change programme’
• Companies House working on ‘alternative options’ ahead of mandatory One Login checks for directors

He added: “Our incident-monitoring systems are designed to detect system failures and our wider security controls are designed to defend against cyberattacks. As this issue stemmed from a functional defect, those monitoring controls were not triggered.”

Before online filing services were reopened for business, Companies House undertook “rigorous testing” of their safety and stability , according to King.

He told the committee that the organisation is now engaged in “taking further actions to strengthen our services”, including “a detailed review [concerning] lessons learned of how the WebFiling defect occurred and what processes need to improve as a result”.

The company registry – which operates as an executive agency of the Department for Business and Trade – also hopes that the security incident might help justify additional spending on upgrading ageing tech.

“This [review] is supported by recent changes to strengthen our governance and assurance of change overall,” King wrote. “More widely, although this was not a cyber-attack, we are continuing to strengthen our security posture in response to a more challenging threat environment, investing in our security operations centre and other capabilities to mitigate these risks. For the longer term, we are developing a case for investment to modernise our architecture and reduce risks associated with legacy applications. This work is an important part of our plan to prevent economic crime entering the system, protecting companies and citizens from harm, and to extend the value of the information within our registers as a key enabler of growth.”