Companies House has said a major bug in its online systems that could have exposed the personal details of company directors was likely to have been introduced in a software update five months ago.
The issue, which Companies House was made aware of on 13 March, meant that “dates of birth, residential addresses and company email addresses” might have been visible to unauthorised users, said Companies House chief executive Andy King.
“It may also have been possible for unauthorised filings — such as accounts or director changes — to have been made on another company’s record,” he added.
Data breach
The body urged firms to check their registered details and ensure they had not been modified.
It said passwords and identifying documents such as passwords could not have been accessed, and existing company reports could not have been altered.
“Any access would have been limited to individual company records, viewed one at a time by a registered WebFiling user,” said King.
The issue was discovered by a researcher who found that while he was logged into his own account, he was able to access other companies’ dashboards by pressing the “back” button on his web browser four times.
Software update
Companies House said the issue was probably introduced with an update to WebFiling in October.
The system was taken offline on Friday, 13 March and the issue was fixed as of Monday, 16 March.
The organisation said it had “proactively” reported the incident to the Information Commissioner’s Office and the National Cyber Security Centre, although there was no evidence the issue had been caused by a cyber attack.
“We are actively analysing our data to identify any anomalies, and we’ll be emailing every company’s registered email address to explain how to check their details and what steps to take if they have any concerns,” said King.
