A significant data security breach at Companies House has raised alarm bells across the UK business community, prompting a call for all companies to scrutinise their records. The glitch, which allowed logged-in users to potentially view and edit sensitive information from other firms, has left many questioning the safety of their personal data.
A Glitch Uncovered
Last week, Companies House became aware of a critical security flaw affecting its WebFiling system, an online platform that facilitates the submission of essential legal documents by UK company directors. This issue was first identified on Thursday by John Hewitt, a representative from corporate services provider Ghost Mail. By a twist of fate, he discovered that by navigating through his own company’s dashboard, he could access the dashboard of another company simply by hitting the back button multiple times.
This alarming vulnerability allowed users to potentially view sensitive information, including directors’ home addresses and email accounts, without consent. Companies House acted promptly, closing the WebFiling system on Friday to investigate the breach, and by Monday, the issue was reportedly resolved.
Andy King, the chief executive of Companies House, expressed his regret over the incident, assuring the public that the agency takes its data protection responsibilities very seriously. “Swift action was taken to restore the service, and we are committed to supporting those affected,” he stated.
What Data Was at Risk?
The investigation revealed that specific personal data, such as directors’ dates of birth and residential addresses, could have been visible to other users logged into the WebFiling system. Furthermore, it was suggested that unauthorised filings—like changes to account information or director roles—might have been made on behalf of other companies. Fortunately, Companies House clarified that passwords remained secure and that no identity verification data, including passports, had been accessed.
The agency has reassured users that existing documents, such as annual accounts or confirmation statements, could not have been altered during this incident. As part of its ongoing investigation, Companies House is diligently assessing whether any data was accessed or modified without appropriate permissions.
Guidance for Affected Businesses
In light of this breach, Companies House has urged all businesses to verify their details. Companies can expect to receive an email at their registered addresses outlining how to check their information and what actions to take if they have concerns. Business owners are encouraged to consult the SME hub for guidance and to report any suspicious activity they may encounter.
Additionally, the Information Commissioner’s Office (ICO) has confirmed that it is aware of the situation and is monitoring developments closely. Companies that suspect they have been affected should file a complaint, providing relevant evidence to support their claims.
A Broader Context of Cybersecurity Concerns
This incident at Companies House is not an isolated event. Similar security lapses have been reported across various sectors, including banking and public transport. For instance, applications from Lloyds, Bank of Scotland, and Halifax recently displayed transactions belonging to other users. Moreover, the Transport for London (TfL) hack in 2024 affected approximately 10 million individuals, while a Microsoft error inadvertently exposed confidential emails to an AI tool. These incidents underscore the pressing need for robust cybersecurity measures in the digital age.
Why it Matters
The recent breach at Companies House serves as a critical reminder of the vulnerabilities that can exist within digital platforms, particularly those that handle sensitive personal information. As businesses increasingly rely on online systems for their operations, the importance of safeguarding data cannot be overstated. This incident not only highlights the need for vigilance among companies but also reinforces the essential role of regulatory bodies in maintaining data security standards. In a world where trust is paramount, ensuring the safety of personal and corporate information is fundamental to fostering confidence in digital systems.
