In a troubling turn of events, UK firms are being urged to scrutinise their Companies House data after a significant glitch potentially compromised the sensitive information of countless businesses. The error, which allowed logged-in users to access and modify the personal details of other companies—including directors’ home addresses and email contacts—has prompted an immediate response from the relevant authorities.
Security Breach Highlighted
Companies House became aware of the security issue last Friday, and by Monday, it had announced that the glitch had been rectified. According to the agency, there have been no confirmed reports of data being accessed maliciously. However, the incident has raised alarm bells across the business community, prompting companies to double-check their records for any unauthorised alterations.
Andy King, the Chief Executive of Companies House, expressed his regret over the incident, stating that the matter has been escalated to the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC). “Companies House takes its responsibility to protect the data entrusted to us extremely seriously,” King remarked, assuring stakeholders that they are committed to maintaining the trust placed in them.
The Nature of the Glitch
The glitch reportedly stemmed from an update to the WebFiling system, which is the online service enabling UK company directors to file legal documents like annual accounts. The flaw was identified last Thursday by John Hewitt, a representative from the corporate services provider Ghost Mail. While attempting to access his own company’s dashboard, Hewitt stumbled upon a backdoor that inadvertently allowed him to view another company’s dashboard simply by navigating back multiple times.
This unexpected access raised concerns regarding the visibility of sensitive information, including dates of birth and residential addresses of directors. Companies House promptly suspended the WebFiling system on Friday for a comprehensive investigation into the issue.
Ongoing Investigation and Guidance for Businesses
As the probe continues, Companies House has reported that while specific personal data might have been visible to other users, passwords remained secure, and there was no unauthorised access to documents filed by companies. Nevertheless, there is a possibility that unauthorised filings—such as changes to director information—could have been made.
In light of this incident, the ICO has confirmed receipt of Companies House’s report and is advising business owners to visit their SME hub for guidance. Companies can expect instructions via email on how to verify their details and what actions to take if they suspect any irregularities. Any business with concerns is encouraged to lodge a formal complaint, providing evidence to substantiate their claims.
Looking Back at Similar Incidents
The recent breach echoes several other notable security lapses across different sectors. For instance, banking apps from Lloyds, Bank of Scotland, and Halifax previously exposed customers to each other’s transactions, while a TfL hack in 2024 impacted around 10 million individuals. Additionally, an error at Microsoft resulted in confidential emails being inadvertently exposed to its AI tool, Copilot. These incidents serve as poignant reminders of the vulnerabilities that can arise in digital systems.
Why it Matters
The implications of this data breach are significant, not just for the businesses directly involved but for the entire landscape of corporate data security in the UK. Companies House plays a pivotal role in the UK’s economic framework, and lapses in its systems could undermine the confidence of business owners and stakeholders alike. As firms scramble to ensure their data integrity, this incident underscores the critical need for robust cybersecurity measures and transparent communication from regulatory bodies. It’s a wake-up call that highlights the importance of vigilance in protecting sensitive information in an increasingly digital world.
