Companies House has disclosed that a significant security vulnerability in its WebFiling service, which permitted users to view and modify data for other businesses and their directors, may have remained undetected for approximately five months. The UK's official corporate register confirmed that the glitch was likely triggered by an IT system update implemented in October of the previous year.
Service Suspension and Investigation
The WebFiling service was temporarily suspended on Friday after Companies House was alerted to the bug by Dan Neidle, founder of Tax Policy Associates. It was reopened on Monday morning following an internal investigation led by chief executive Andy King. This service is critical for over five million registered companies, including major FTSE 100 entities such as Tesco, BT, BP, and Shell.
Nature of the Vulnerability
The security flaw allowed authorised WebFiling users, logged in with valid codes, to access sensitive information from other companies by repeatedly pressing the back key on their web browsers. Accessible data included dates of birth, residential addresses, and company email addresses. Companies House also acknowledged that unauthorised filings, such as accounts or director changes, could potentially have been made on another company's record.
However, the organisation emphasised that passwords remained secure and were not viewable. Additionally, data used for identity verification processes, such as passport information, was not accessible. Existing filed documents, including accounts or confirmation statements, could not have been altered through this vulnerability.
Limitations and Response
Andy King stated that the issue was limited in scope, explaining, "We believe that this issue could not have been used to extract data in large volumes or to access records systematically. Any access would have been limited to individual company records, viewed one at a time by a registered WebFiling user."
He expressed regret for the incident, saying, "I recognise that this incident will have caused concern and inconvenience to many of the companies and individuals who rely on our services. I am sorry for that. Companies House takes its responsibility to protect the data entrusted to us extremely seriously. We have taken swift action to secure and restore our service, and are committed to doing everything in our power to support those affected and to making sure that our services continue to merit the trust placed in them."
Advice and Implications
Over the weekend, firms were advised to check their details due to the potential exposure to fraud risks stemming from this bug. The incident highlights ongoing cybersecurity challenges within governmental digital services, prompting calls for enhanced vigilance and robust IT maintenance protocols to prevent similar breaches in the future.
