What you need to know after millions of UK firms’ data shared in major glitch
Businesses are being urged to check their files with Companies House following a major data error on the website that could expose the private information of millions of British business executives.
For the past five months, a bug in the system had allowed people to view or edit information for more than five million companies simply by pressing the back button on their web browser several times.
The UK’s official corporate register was alerted to the breach on Friday.
Graeme Stewart, head of public sector at Check Point Software, said: “This is the latest in a series of public sector data disasters that have threatened the privacy, security and personal safety of hundreds of thousands of business executives.
“A bug of this scale is a gift to cybercriminals looking to upload fake documents, impersonate CEOs, and facilitate data theft.”
What should businesses do?
Dan Neidle, founder of Tax Policy Associates, which alerted Companies House to the breach, said it was impossible for businesses to know whether their information had been viewed but they should check “very carefully” whether any of their information had been changed.
Experts have advised business managers to visit the Companies House dashboard and review all its details.
People should take a screenshot of anything that appears incorrect and contact Companies House directly to explain the problem.
How may your information be used?
Mr Stewart said: “The information contained in distributions is often very personal. These are names, addresses, dates of birth. This is the bread and butter of criminals who are after this data.
“If you were thinking of doing something nefarious, going after a company or making false claims about the company, it would be really easy to get that information.”
Authentication information such as passwords and passports were not compromised, according to Companies House.
Mr Stewart suspected that larger companies were more likely to be targeted because they would allow criminals to have contact details of senior people.
“Typically, what happens when they steal people’s credentials is they cross-reference it with other things. They go after things like Facebook profiles, Instagram profiles, and they build a picture of those people because they’re high net worth and therefore worth going after.”
Mr Neidle said: “On one level, a prankster could make Mickey Mouse the director of every company on the FTSE, but that doesn’t appear to have happened.
“A more malicious actor could find a small company that they think has poor financial controls, change its registered office, perhaps add someone as a director and obtain large bank loans. This is the kind of fraud where it is possible to change company details.”
Should businesses worry about their data in the future?
Mr Stewart said businesses were “absolutely” right to be concerned about the security of their data held by Companies House.
“What you would hope is that after making this absolute school mistake, they go back to their system and tighten it up.
“It behooves Companies House and the web filing team to reassure company owners, the financial sector and the security industry that they are doing a good job of fixing this.”
Mr Neidle added: “The people who can answer this are Companies House. They need to properly explain what this vulnerability was, how it happened and how it was exploited. Only when they can reassure people that they understand the lessons from it can we be reassured that this won’t happen again.”
Companies House reported him to the Information Commissioner’s Office (ICO) and the National Cyber Security Center (NCSC). The agency said it would send an email to each company’s registered email address explaining how to check their details and what steps to take if they have concerns.
Chief executive Andy King said: “If we find evidence that someone is using this to access or change another company’s details without permission, we will take decisive action.”
