Companies House Forced to Suspend Online Filing Service Following Critical Security Flaw
Companies House, the UK's official corporate register, was compelled to temporarily shut down its online filing service after a significant security vulnerability was discovered. The glitch enabled users to access and modify the confidential data of other businesses, leaving over five million companies exposed to potential fraud and data breaches.
Widespread Vulnerability Exposes Sensitive Information
The bug allowed individuals to alter critical details of company directors, including their names, addresses, email addresses, and full dates of birth. Furthermore, the flaw permitted users to delete or upload fraudulent company accounts for any organisation registered on the platform. This vulnerability impacted some of the UK's largest corporations, such as BP, Shell, HSBC, Unilever, and Tesco, all of which are listed on the official register.
Simple Exploit Bypassed Security Measures
Exploiting the glitch was remarkably straightforward. Users only needed to log into the Companies House website and enter another company's registration number. Although the system prompted for a security code, this could be circumvented by repeatedly pressing the 'back' button on a web browser. Once bypassed, users gained access to the dashboard of the targeted company instead of their own.
Legal and Security Implications Highlighted
Even accidental access to unauthorised data could result in severe legal consequences. Under the UK Computer Misuse Act 1990, individuals who use a computer to view data without permission face up to two years in prison. If the access is intended to commit further offences, such as fraud, the penalty can extend to five years imprisonment.
Dan Neidle, founder of the non-profit organisation Tax Policy Associates, identified and reported the issue to Companies House after being alerted by John Hewitt of corporate services provider Ghost Mail. Neidle emphasised the serious security and GDPR implications, noting that the vulnerability exposed directors' home and email addresses for millions of companies, with uncertainty about which organisations were affected.
Official Response and Investigation Underway
In response to the incident, Companies House confirmed the problem with its WebFiling service and announced its closure while an investigation is conducted. A spokesperson stated, 'We are aware of an issue with our WebFiling service and have closed it while we investigate. We apologise for any inconvenience to our customers.' The organisation has been contacted for further comment regarding the breach and its ongoing efforts to secure the system.
