A major security flaw with Companies House has exposed the private details of directors at millions of businesses in the UK.
Companies House, which serves as the UK’s official corporate register, was forced to shut down its online filing service after the vulnerability was discovered last Friday. The issue has since been fixed, with the service restored on Monday morning.
The reported bug allowed users of Companies House WebFiling system to view specific data from the 5 million registered companies, including the dates of birth and residential addresses of a business’s key personnel.
The bug also allowed logged-in WebFiling users to change some elements of another company’s details, such as the addresses and emails of directors, without consent.
First discovered by John Hewitt from the corporate services provider Ghost Mail, the flaw could be exploited simply by pressing the back key four times while viewing a registered company on the WebFiling system.
An internal investigation indicates that the issue arose after an update to the WebFiling systems of Companies House in October last year.
“We are asking all companies to check their registered details and filing history to make sure everything appears correct,” said Andy King, chief executive officer of Companies House.
“We have taken swift action to secure and restore our service, and are committed to doing everything in our power to support those affected and to make sure that our services continue to merit the trust placed in them.”
Mr King added that there was no evidence that any data has been accessed or changed without permission, though the investigation remains ongoing.
The incident is also under review by the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC).
An ICO spokesperson advised business owners to view guidance on its SME advice hub. Companies House has also urged any business that may have been impacted to raise a complaint.
