Companies House online filing back to normal after glitch allowed users to change directors' details

News
By published

In theory, someone could have exfiltrated sensitive data

A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
(Image credit: Shutterstock)
  • Companies House shuts down WebFiling after misconfiguration found
  • Logged-in users could view or alter other companies’ data
  • Sensitive details like DOBs and addresses briefly exposed, now patched

Companies House, the official government registrar of companies in the United Kingdom, was leaking sensitive company data to unauthorized third parties. The discovery of the vulnerability forced it to shut down one of its services over the weekend, as it investigated and addressed the issue.

In a press release published earlier this morning, Companies House CEO, Andy King, said the organization spotted a misconfiguration on Friday afternoon, “which meant that a logged-in user of our WebFiling service could potentially access and change some elements of another company’s details without their consent after performing a specific set of actions.”

WebFiling is a service that allows organizations to submit official documents electronically.

Article continues below

Exposing sensitive data

Despite the bug not being accessible to anyone else besides logged-in users with an authorized code, Companies House closed the service and worked to resolve it. “The service has been independently tested and is back online as of 9am on Monday 16 March,” the announcement reads.

However, during investigation, the organization found that some company data “not normally published on the Companies House register” may have been visible to other logged-in WebFiling users, including dates of birth, residential addresses, or company email addresses. Malicious actors could have changed other companies’ data, such as those on accounts or directors.

But the CEO says stealing any of this data would be mighty difficult, since attackers would need to view one company at a time. That being said, he confirmed that passwords were not compromised, data needed for ID verification was not accessed, and existing filed documents were not tampered with.

Despite the attack sounding lukewarm, Companies House still asked all organizations to check their registered details and filing history, and to reach out if there are any concerns.

The CEO finished off the announcement with an apology, saying Companies House takes its responsibility to protect data “extremely seriously”.

Via Financial Times

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.