In a significant development, Companies House has temporarily halted its online filing service due to a serious vulnerability that risked exposing sensitive personal information of company directors. This issue, which has raised alarm bells over data security, was identified on Friday by Dan Neidle, founder of Tax Policy Associates. The glitch reportedly allowed users to access and potentially edit the details of other businesses by merely navigating back on their dashboard—a situation that could lead to serious fraud.
Glitch Exposes Sensitive Information
The vulnerability in Companies House, the UK’s official corporate register, reportedly allowed unauthorised access to crucial data, including directors’ home addresses, email addresses, and dates of birth. Neidle expressed concern about the potential ramifications of such a flaw, stating, “People could get enough data about a company and its directors to potentially commit fraud.” He highlighted the ease with which someone could manipulate the information, such as changing a company’s registered address to their own, thereby gaining control over important documentation.
The severity of the glitch is underscored by Neidle’s assertion that if the vulnerability had been active for an extended period, the implications could be dire. According to security researchers, the average time it takes for a vulnerability to be exploited is around 15 days, and given the nature of this issue, it posed significant risks without requiring any advanced hacking skills.
Companies House Responds
In light of the breach, Companies House has issued a statement acknowledging the issue with its WebFiling service and confirming that the platform will remain closed while investigations are conducted. A spokesperson for the agency apologised for any inconvenience caused to users, reassuring them that they are actively working to resolve the matter.
In their communication to affected customers, Companies House provided guidance on how to proceed if filing deadlines were missed due to the service disruption. They advised users to file as soon as the service is restored and to document any error messages encountered, as this evidence would be taken into account regarding missed deadlines.
Legal Implications of the Breach
Under the Computer Misuse Act 1990, unauthorised access to computer systems can result in a maximum prison sentence of up to two years. If the intent is to commit further offences, such as fraud, the penalty can escalate to five years. This legal framework underscores the seriousness of the situation and the potential consequences for anyone attempting to exploit the data accessed through the glitch.
With records for over five million companies, including prominent FTSE 100 names like AstraZeneca, Shell, and Tesco, Companies House plays a crucial role in maintaining transparency in the UK corporate sector. The integrity of this system is vital not only for businesses but also for the public’s trust in the regulatory framework that governs them.
Why it Matters
The incident at Companies House highlights a critical vulnerability in the management of sensitive data within public registries. As businesses increasingly rely on digital platforms for their operations, the importance of robust cybersecurity measures cannot be overstated. This breach not only poses risks to individual directors whose personal information has been compromised but also raises broader questions about the security protocols in place at vital institutions. The ability to safeguard such information is essential for maintaining public trust and ensuring the integrity of the corporate landscape in the UK.
