Companies House, the United Kingdom's official corporate register, has been forced to suspend its online filing service following the discovery of a significant security vulnerability. The glitch reportedly allowed users to access and potentially edit the personal data of other businesses, raising serious concerns about fraud and data protection.
Security Flaw Exposes Sensitive Information
The vulnerability was identified within the WebFiling service dashboard, where pressing the back key could enable unauthorised access to other companies' confidential records. According to reports, the exposed data included directors' home addresses, email addresses, and dates of birth – information that could be exploited for fraudulent activities.
Researcher Raises Alarm
The issue was brought to light on Friday by Dan Neidle, founder of Tax Policy Associates, who described the vulnerability as "absolutely insane" in its simplicity. Mr Neidle warned that the glitch could have "very serious" consequences if it had remained undetected for an extended period.
"People could get enough data about a company and its directors to potentially commit fraud – to pretend to be it," Mr Neidle told the Press Association. "Even worse, they could change the address to their address so they could pick up documents and, if you could file accounts, you could do all kinds of damage."
Timeline Concerns
Security experts have noted that vulnerabilities typically take an average of 15 days to be exploited once discovered. Mr Neidle emphasised that this particular flaw was especially concerning because "this was a particularly easy vulnerability with no hacking required."
He added: "If it was only there for 36 hours, then maybe it's fine. But if it was there for a month or more, it's very serious."
Official Response and Customer Guidance
A Companies House spokesperson confirmed on Friday evening: "We are aware of an issue with our WebFiling service and have closed it while we investigate. We apologise for any inconvenience to our customers."
The organisation has issued specific guidance for affected customers, stating that those who miss filing deadlines due to the service suspension should file as soon as possible once the service resumes. Companies House advised taking screenshots of any error messages and noting the time and date, promising to consider this evidence in cases where timely filing was impossible.
Legal Implications
Under the Computer Misuse Act 1990, unauthorised access to computer material carries a maximum prison sentence of two years. The penalty increases to up to five years for accessing data with intent to commit further offences, such as fraud.
Scale of the Register
Companies House maintains records for more than five million registered companies across the United Kingdom. This includes major FTSE 100 corporations such as AstraZeneca, Shell, and Tesco, though it remains unclear whether any of these large entities were affected by the security breach.
The suspension comes at a critical time for business compliance, with many companies facing filing deadlines. The incident highlights ongoing challenges in digital security for government services handling sensitive commercial and personal information.
