- Companies House shuts down WebFiling after incorrect configuration found
- Logged in users could view or alter other companies’ data.
- Sensitive details like dates of birth and addresses briefly exposed, now patched
Companies House, the official government registry of companies in the United Kingdom, was leaking confidential company data to unauthorized third parties. The discovery of the vulnerability forced it to shut down one of its services over the weekend while it investigated and fixed the problem.
In a press release published this morning, Companies House chief executive Andy King said the organization detected a misconfiguration on Friday afternoon, “which meant that a user who had logged into our WebFiling service could access and change some elements of another company’s details without their consent after performing a specific set of actions.”
WebFiling is a service that allows organizations to submit official documents electronically.
Article continues below.
Expose sensitive data
Despite the bug being accessible to no one else except users who had logged in with an authorized code, Companies House shut down the service and worked to resolve it. “The service has been independently tested and is back online as of 9 a.m. Monday, March 16,” the announcement reads.
However, during the investigation, the organization discovered that some company data “not normally published on the Companies House register” may have been visible to other logged-in WebFiling users, including dates of birth, residential addresses or company email addresses. Malicious actors could have changed other companies’ data, such as accounts or directors.
But the CEO says stealing any of this data would be very difficult, as attackers would need to look at one company at a time. That said, it confirmed that passwords were not compromised, that data necessary for identity verification was not accessed, and that existing archived documents were not altered.
Even though the attack seemed lukewarm, Companies House still asked all organizations to check their registered details and filing history, and to get in touch if they had any concerns.
The chief executive ended the announcement with an apology and said Companies House takes its responsibility to protect data “very seriously”.
Through Financial times
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
