Companies House Halts Online Filing After Serious Security Flaw
Companies House, the UK's official corporate register, has been forced to suspend its online filing service following the discovery of a significant security vulnerability. This glitch permitted users to access and potentially edit the personal data of other businesses, creating a substantial risk of fraud and identity theft.
Details of the Data Exposure Incident
The vulnerability was identified within the WebFiling service dashboard. By simply pressing the back key on their browser, individuals could reportedly view sensitive information belonging to other companies. This exposed data included directors' home addresses, email addresses, and dates of birth—critical details that could be exploited for fraudulent activities.
Dan Neidle, founder of Tax Policy Associates, alerted Companies House to the issue on Friday. He described the flaw as "absolutely insane" due to the ease with which it could be exploited, emphasising that no advanced hacking skills were required.
Potential Consequences and Legal Implications
Mr. Neidle warned that the breach could have "very serious" implications if it remained undetected for an extended period. He explained, "People could get enough data about a company and its directors to potentially commit fraud—to pretend to be it. Even worse, they could change the address to their address so they could pick up documents and, if you could file accounts, you could do all kinds of damage."
Under the Computer Misuse Act 1990, unauthorised access to computer material carries a maximum prison sentence of two years. This penalty increases to up to five years if the access is conducted with intent to commit further offences, such as fraud.
Response from Companies House and Customer Guidance
A Companies House spokesperson confirmed the suspension on Friday evening, stating, "We are aware of an issue with our WebFiling service and have closed it while we investigate. We apologise for any inconvenience to our customers."
In guidance issued to affected customers, Companies House advised that those missing filing deadlines due to the service outage should file as soon as possible once the service resumes. They recommended taking screenshots of any error messages and noting the time and date, which will be considered as evidence if filing becomes impossible.
Broader Context and Security Concerns
Companies House maintains records for over five million companies, including major FTSE 100 entities such as AstraZeneca, Shell, and Tesco. This incident highlights ongoing cybersecurity challenges within critical national infrastructure.
Security researchers note that vulnerabilities typically take an average of 15 days to be exploited once discovered. Mr. Neidle added, "If it was only there for 36 hours, then maybe it's fine. But if it was there for a month or more, it's very serious." The suspension allows for a thorough investigation to prevent further unauthorised access and protect sensitive corporate information.
