Companies House IT Update Blamed for Five-Month Data Security Glitch
Companies House IT Update Caused Five-Month Data Glitch

Companies House IT Update Blamed for Five-Month Data Security Glitch

Companies House has revealed that a major security vulnerability in its online filing service, which allowed users to access and edit other companies' confidential data, likely stemmed from an IT system update implemented five months ago. The UK's official corporate register confirmed the glitch in its WebFiling service, where pressing the back key on a web browser multiple times could expose sensitive information from unrelated business records.

Extended Vulnerability Period

Chief Executive Andy King stated that an internal investigation pointed to a system update in October of the previous year as the probable cause. This means the bug may have gone undetected for approximately five months, during which registered WebFiling users with authorised codes could potentially view and modify data for other companies and their directors.

The accessible information included residential addresses, dates of birth, and company email addresses. Companies House also acknowledged that unauthorised filings, such as changes to accounts or director details, might have been possible on another company's record.

Security Limitations and Immediate Actions

However, the organisation emphasised that passwords remained secure and were not viewable. Data used for identity verification processes, including passport information, was also inaccessible. Importantly, existing filed documents like accounts or confirmation statements could not have been altered through this vulnerability.

Companies House suspended the WebFiling service on Friday after being alerted to the issue by Dan Neidle, founder of Tax Policy Associates. The service was reopened on Monday morning following security measures. The register, which contains over five million companies including FTSE 100 giants like Tesco, BT, BP, and Shell, is now checking for data anomalies.

Executive Response and Ongoing Investigations

Andy King expressed regret for the concern and inconvenience caused, stating: "Companies House takes its responsibility to protect the data entrusted to us extremely seriously. We have taken swift action to secure and restore our service." He added that the glitch likely allowed only individual record access, not large-scale data extraction.

Companies House is not yet aware of any confirmed reports of unauthorised data access or changes, but investigations continue. The organisation plans to email guidance to every company's registered address on how to check their details and address concerns. King vowed to take firm action if evidence emerges of malicious exploitation.

Expert Warnings and Fraud Risks

Dan Neidle warned that the vulnerability, requiring no hacking skills, could have serious implications if exploited. He noted that security researchers typically see vulnerabilities exploited within 15 days on average, heightening fraud risks for exposed firms.

Companies House has advised all businesses to review their details over the weekend due to potential exposure. The organisation remains committed to transparency and will provide further updates as the investigation progresses.