Andy King, the chief executive of Companies House, has apologised for a technical error which meant customers could access and change elements of another company’s details.
The issue meant a logged-in user of its WebFiling service could view and alter some elements of another company’s details without their consent after performing a specific set of actions.
Companies House said it was made aware of the security failure on Friday but added that its subsequent investigation has indicated the issue was introduced when it updated its WebFiling systems in October last year.
The agency closed the WebFiling service at 1:30pm on Friday while it investigated and resolved the issue. It said the service has been independently tested and went back online at 9am today.
King, who has led Companies House since September, said in a statement: “I recognise that this incident will have caused concern and inconvenience to many of the companies and individuals who rely on our services. I am sorry for that.
“Companies House takes its responsibility to protect the data entrusted to us extremely seriously. We have taken swift action to secure and restore our service, and are committed to doing everything in our power to support those affected and to making sure that our services continue to merit the trust placed in them.”
Webfiling allows customers to file details such as their company's confirmation statement/annual return, annual accounts and company's director/secretary changes.
Companies House said its investigation established that specific data from individual companies not normally published on the Companies House register may have been visible to other logged-in WebFiling users, including dates of birth, residential addresses and company email addresses. The agency said it may also have been possible for unauthorised filings – such as accounts or changes of director – to have been made on another company’s record.
Companies House said the data was not accessible to the general public – only to users with an authorised code who were logged in to the service.
It said the following data was not affected:
- Passwords were not compromised
- No data used as part of its identity verification process, such as passport information, was accessed
- No existing filed documents, such as accounts or confirmation statements could have been altered.
King said: “We believe that this issue could not have been used to extract data in large volumes or to access records systematically. Any access would have been limited to individual company records, viewed one at a time by a registered WebFiling user.”
King said Companies House has at this stage not received any reports of data having been accessed or changed without permission, but added that the investigation is ongoing.
“We’ll provide further updates as our work progresses and we remain committed to being transparent throughout,” he said.
Companies House said it has proactively reported the incident to the Information Commissioner’s Office and the National Cyber Security Centre, is actively analysing its data to identify any anomalies, and will be emailing every company’s registered email address to explain how to check their details and what steps they can take if they have any concerns.
“If we find evidence that anyone has used this issue to access or change another company’s details without authorisation, we will take firm action,” King said.
The agency is asking all companies to check their registered details and filing history to make sure everything appears correct. If a company has a concern, Companies House said they should raise a complaint here and include evidence to describe the concern.
King said Companies House will soon publish a page with more details on the security issue to answer any further questions companies may have.