Companies House responds to WebFiling service cyber glitch episode

Data that could reportedly be viewed due to the glitch included directors’ home addresses, business e-mail addresses and dates of birth. It may also have been possible for unauthorised filings – such as accounts or changes of director – to have been made on another company’s record.

Importantly, passwords were not compromised. No data used as part of the identity verification process, such as passport information, was accessed. Companies House also affirmed that no existing filed documents, such as accounts or confirmation statements, could have been altered.

Companies House believes that this issue could not have been used to extract data in large volumes or to access records systematically. Any access would have been limited to individual company records, viewed one at a time by a registered WebFiling user.

The subsequent investigation into the episode indicates that this issue was introduced when Companies House updated its WebFiling systems last October.

Alerted to the problem

Companies House was alerted to the issue on 13 March by Dan Neidle, founder of Tax Policy Associates. Neidle said the glitch could have been “very serious” if it had been in place for a substantial length of time.

On the evening of 13 March, a Companies House spokesperson said: “We are aware of an issue with our WebFiling service and have closed it while we investigate. We apologise for any inconvenience caused to our customers.”

WebFiling was closed at 1.30 pm on 13 March while Companies House investigated and then resolved the issue. The service was independently tested and then back online as of 9.00 am on 16 March.

Complete overhaul

Cyber expert Graeme Stewart, head of the public sector at Check Point Software, explained: “This is the latest in a series of public sector data disasters that threatens the privacy, security and personal safety of hundreds of thousands of company directors. A bug of this scale is a potential gift to those seeking to upload false documentation, impersonate CEOs and attempt to facilitate data theft. It’s time for a complete overhaul of core systems, with security armour embedded by design.” 

Kenny MacAulay, CEO of accounting software platform Acting Office, stated: “Another day, another massive public sector data blunder. It defies belief that people could so easily gain access to seemingly the entire dashboard of tens of thousands of companies and their respective directors across the UK.”

MacAulay added: “Basic compliance requirements must be in place to prevent data exposure like this from ever happening, with sites thoroughly checked for bugs and security weaknesses on a regular basis.”

Reported to the ICO

Andy King, CEO of Companies House, has apologised for the incident and reported events to the Information Commissioner’s Office and the National Cyber Security Centre.

“Companies House takes its responsibility to protect the data entrusted to us extremely seriously,” observed King. “We have taken swift action to secure and restore our service and are fully committed to doing everything in our power to support those affected and make sure that our services continue to merit the trust placed in them.”

Companies House is the official UK Government agency directly responsible for incorporating, dissolving and also registering limited companies.