Companies House closed temporarily after glitch allowed people to edit OTHER firms’ details

Companies House Service Disrupted Due to Data Editing Vulnerability

A critical flaw in the UK’s Companies House online system prompted an emergency shutdown of its filing platform. The issue allowed users to modify the private information of other businesses, exposing over five million entities to potential fraud.

The error meant individuals could alter details such as company directors’ names, addresses, emails, and full date of birth. This access could also be used to delete or upload fraudulent accounts, effectively hijacking corporate records.

Among the affected were prominent UK entities such as BP, Shell, HSBC, Unilever, and Tesco. The vulnerability was exploited by entering another company’s registration number, bypassing the security code through repeated use of the web browser’s ‘back’ button.

Users then accessed the dashboard of the targeted business without authorization, enabling them to manipulate sensitive data. Even unintentional breaches could lead to legal consequences under the Computer Misuse Act 1990, with penalties up to two years in prison for unauthorized access, or five years if used for criminal activity like fraud.

Expert Warns of Serious Risks

“The security and data protection risks are clear, especially with millions of companies potentially impacted,” said Dan Neidle, founder of Tax Policy Associates. He noted the flaw was revealed after being alerted by John Hewitt of Ghost Mail.

Neidle emphasized the severity of the vulnerability, stating it was “alarmingly simple to exploit.” He argued that the ability to access and alter company details could enable individuals to impersonate firms or redirect documents to their own addresses, causing significant damage.

“If the issue persisted for weeks, the consequences would be dire,” Neidle added. “Security researchers estimate the average time for a vulnerability to be exploited is 15 days, and this one required no technical skill to exploit.”

A Companies House representative acknowledged the problem, stating the service was closed “while we investigate.” They offered guidance to affected users, suggesting they file as soon as possible and document any error messages for review.

The Daily Mail sought additional comments from Companies House for further clarification on the incident and its resolution.