Companies House closed temporarily after glitch allowed people to edit OTHER firms’ details
Companies House has been forced to temporarily shut down its online filing service following a glitch that allowed users to edit confidential data of other businesses.
More than five million companies were left vulnerable to potential fraud due to the bug that allowed criminals to change the name, address, email address and full date of birth of company executives.
This glitch also meant that anyone who discovered this flaw could delete or upload fake company accounts belonging to any company registered on the site.
Some of the largest organizations in the UK are listed on official corporate registers, including BP, Shell, HSBC, Unilever and Tesco.
Users simply logged in to the site and then entered the number of another company. At this point they will be asked for a code, but this can be bypassed by pressing the ‘back’ button on the web browser a few times.
After doing this, users noticed that they were not seeing their own control panel, but the control panel of the company they were trying to access.
Even if not malicious, using a computer to look at data without permission could see someone imprisoned for up to two years (up to five years if access is gained to commit other crimes such as fraud) under the UK Computer Misuse Act 1990.
Dan Neidle, founder of the not-for-profit Tax Policy Associates, reported the matter to Companies House after being tipped off by John Hewitt of corporate services provider Ghost Mail.
Companies House has been forced to temporarily shut down its online filing service after a glitch allowed users to edit other businesses’ confidential data
In a post about the incident, he said: ‘The disclosure of executives’ home and email addresses for millions of companies has obvious security and GDPR implications.
‘This would be even worse if no one knew which companies were affected by this vulnerability.’
Mr Neidle said the glitch could be ‘very serious’ if it persisted for a long time, adding that it was ‘an absolutely insane vulnerability in terms of how easy it is to find’.
He said: ‘People can obtain enough data about a company and its executives to potentially commit fraud, to pretend to be one.
‘Worse still, they can change the address to their own to get the documents and if you can open an account you can do all kinds of damage.’
Discussing the failure, Mr Neidle added: ‘If it had only been there for 36 hours then maybe it would have been OK.
‘But if it’s been there for a month or more it’s very serious.
‘Security researchers say the average time it takes to exploit a vulnerability is 15 days, making it a particularly easy vulnerability that doesn’t require any hacking.’
A Companies House spokesman said: ‘We are aware of an issue with our WebFiling service and have turned it off while we investigate.
‘We apologize for the inconvenience caused to our customers.’
In guidance to affected customers, Companies House said: ‘If you miss the deadline due to service unavailability, there is no need to call us.
‘Send files as soon as possible once the service is available and screenshot any error messages and note the time and date. If you cannot apply we will consider this evidence.’
The Daily Mail has contacted Companies House for comment.
