UK Corporate Registry Exposes Personal Information of Employees

The UK’s Companies House alerted the public of a security issue that allowed other users to access “dates of birth, residential addresses and company email addresses.”

The issue was with their WebFiling service, an online service for filing company tax returns. As you can imagine, the data involved is highly sensitive.

The Companies House assures that passwords, passport information, or filed documents were not compromised.

The issue allowed other users to even edit other companies’ records. They say this wasn’t available to the general public and “only users with an authorised code and logged in to the service could have performed this action.” However, corporate espionage and meddling are very real and it’s possible competitors could have taken advantage of this.

The WebFiling service was taken down on Friday the 13th (of course) and stayed down all weekend in response.

We believe that this issue could not have been used to extract data in large volumes or to access records systematically. Any access would have been limited to individual company records, viewed one at a time by a registered WebFiling user.

Dan Neidle, the founder of Tax Policy Associates, posted a video demonstrating how the flaw could be abused.

The flaw is now fixed as of Monday. They said they reported the incident to the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC) and are “actively analysing our data to identify any anomalies, and we’ll be emailing every company’s registered email address to explain how to check their details and what steps to take if they have any concerns.”

They haven’t found any evidence yet of anyone exploiting the flaw to change company details.

The Companies House asks that all companies check their registered details and filing history to make sure everything is correct, and to direct all concerns to enquiries@companieshouse.gov.uk.

They report no confirmed instances of data being changed without permission, but the investigation is ongoing. A page will be published with more information at a later date.