Companies House reveals IT update five months ago likely cause of major glitch

Companies House said a glitch on its online filing service allowing people to view and edit data for other businesses and their directors may have gone undetected for five months.

The UK’s official corporate register said it had reopened the WebFiling service on Monday morning, having suspended it on Friday after being alerted to the bug.

There are more than five million companies on the corporate register, including FTSE 100 listed giants such as Tesco, BT and oil giants BP and Shell.

Andy King, chief executive of Companies House, said an internal investigation into the issue suggested the glitch may have been caused when its WebFiling systems was updated in October last year.

He added that WebFiling users, with an authorised code and logged into the service, could have accessed and edited data.

A vulnerability in the UK’s official corporate register allowed people to access other companies’ details by pressing the back key on their web browser several times.

Information that was accessible included dates of birth, residential addresses and company email addresses, Companies House confirmed.

It may also have been possible for unauthorised filings, such as accounts or changes of director, to have been made on another company’s record, Companies House said.

But it stressed passwords were not able to be viewed, while it said data used as part of its identity verification process, such as passport information, was not accessible.

Existing filed documents, such as accounts or confirmation statements, could not have been altered, it said.

Mr King said: “We believe that this issue could not have been used to extract data in large volumes or to access records systematically.

“Any access would have been limited to individual company records, viewed one at a time by a registered WebFiling user.”

He added: “I recognise that this incident will have caused concern and inconvenience to many of the companies and individuals who rely on our services. I am sorry for that.

“Companies House takes its responsibility to protect the data entrusted to us extremely seriously.

“We have taken swift action to secure and restore our service, and are committed to doing everything in our power to support those affected and to making sure that our services continue to merit the trust placed in them.”

Firms were being advised over the weekend to check their details after the bug left them potentially exposed to fraud.

Companies House was alerted to the issue on Friday by Dan Neidle, founder of Tax Policy Associates.

Companies House said it was not aware yet of any reports of data having been accessed or changed without permission, but its investigations are ongoing.

“We’ll provide further updates as our work progresses and we remain committed to being transparent throughout,” Mr King said.

He vowed to take “firm action” if it finds evidence that anyone has used this issue to access or change another company’s details without authorisation.

Companies House said it was checking data on the system for any “anomalies” and would email every company’s registered address with guidance on how to check details and what steps to take if there are any concerns.

Mr Neidle warned on Friday the issue could be very serious if left undetected for a long period of time, leaving firms exposed to possible fraud.

He told the Press Association at the time: “Security researchers say 15 days is the average time it takes for a vulnerability to be exploited, and this was a particularly easy vulnerability with no hacking required.”