What you need to know after millions of UK firms’ data shared in major glitch

The UK’s official corporate register was alerted to the breach on Friday.

Graeme Stewart, the head of public sector at Check Point Software, said: “This is the latest in a series of public sector data disasters that threatens the privacy, security and personal safety of hundreds of thousands of company directors. 

“A bug of this scale is a gift to cybercriminals seeking to upload false documentation, impersonate CEOs and facilitate data theft.”

What should businesses do? 

Tax Policy Associates founder Dan Neidle, who alerted Companies House to the breach, said it was impossible for businesses to tell whether their information was viewed, but said they should check “very carefully” to see if any of their details were changed. 

Experts have advised business directors to visit their Companies House dashboard and review all of their details.

People should take screenshots of anything that looks incorrect and get in touch with Companies House directly to explain the problem.

How could your information be used? 

Mr Stewart said: “The information contained on filings is usually very personal. It is names, addresses, dates of birth..The criminals who are after this data, that's their meat and drink.

“If you're thinking of doing something nefarious, going after a company, or making spurious claims about the company, it would have been really simple to get that information.”

Passwords and identity verification information, like passports, were not compromised, according to Companies House. 

Mr Stewart suspected bigger companies were more likely to be targeted, as it would allow criminals to have the contact details for senior people.

“Typically, what happens when they steal people's credentials is they'll cross-reference it with other things. They'll go after things like their Facebook profile, Instagram profile, and they'll build up a picture of these people because they're high net worth and therefore worth going after.”

Mr Neidle said: “On one level, a prankster could make Mickey Mouse the director of every company in the FTSE, but that doesn't seem to have happened. 

“A more malicious actor would find a small company that they think has vulnerable financial controls, change the registered office, maybe add someone as a director, and take out some large bank loans. That's the kind of fraud that is enabled by being able to change company details.”

Should businesses be concerned about their data in the future? 

Mr Stewart said businesses are “absolutely” right to be concerned for the security of their data held by Companies House.

“What you would hope is that having made this absolute schoolboy error, they've gone back into their systems and tightened it up.

“It is beholden on Companies House here and their web filing team to give company owners and the finance industry and the security industry confidence that they've done a decent job at patching this up.” 

Mr Neidle added: “The people who can answer that are Companies House. They need to properly explain what this vulnerability was, how it happened, and how it was used. Only when they can assure people that they've understood the lessons of this will we be comfortable that it can't happen again.

Companies House has reported itself to the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC). The agency said it would be emailing every company’s registered email address to explain how to check their details and what steps to take if they have any concerns.

Chief executive Andy King said: “If we find evidence that anyone has used this issue to access or change another company’s details without authorisation, we will take firm action.”