Companies House Breach - Web Glitch Exposes Corporate Data
Basically, a website error let people see private company info they shouldn't access.
A serious flaw in the Companies House website has exposed sensitive corporate data, putting millions at risk. This breach allows fraudsters to access personal information, raising significant security concerns. Companies must now verify their registration data to ensure no unauthorized changes have occurred.
What Happened
A significant security breach occurred at the UK’s Companies House, prompting the agency to suspend access to its WebFiling dashboard. This flaw was discovered by Dan Neidle, founder of Tax Policy Associates, after a demonstration by John Hewitt from Ghost Mail. The glitch allowed users to log in and access not just their own company’s dashboard, but potentially any of the five million companies registered with Companies House. This means that fraudsters could exploit this vulnerability to access sensitive corporate information.
The flaw is alarmingly easy to exploit. Users could enter their own details, select to file for another company, and, despite lacking an authentication code, navigate back to the dashboard of another company. This oversight could lead to unauthorized access to personal and corporate data of millions of directors, including email addresses and dates of birth. Such information could be used for follow-on phishing attempts, making it a serious threat.
Who's Affected
The breach puts around five million directors at risk, as their personal information was exposed. This includes not only corporate details but also sensitive data that could facilitate identity theft or financial fraud. Small companies, particularly those with fewer security measures, are most vulnerable to this kind of exploitation. The implications are severe, as criminals could potentially alter registration details to open bank accounts or secure loans under false pretenses.
While Companies House has temporarily taken the WebFiling dashboard offline, the extent of the breach remains uncertain. Questions linger about how long the website was vulnerable and whether any unauthorized modifications were made. The agency is expected to conduct a thorough investigation to assess the impact.
What Data Was Exposed
The security flaw led to exposure of critical data, including directors' home addresses, email addresses, and birth dates. This information is not only sensitive but also protected under GDPR regulations, which raises concerns about compliance and accountability. The breach could lead to significant privacy violations, especially if companies are unaware of the changes made to their registration data.
Moreover, the lack of notification for companies whose details were altered poses a substantial risk. If a company’s registration information is modified without their knowledge, they might not receive crucial alerts about these changes, further exacerbating the potential for fraud.
What You Should Do
In light of this breach, it is imperative for directors to take immediate action. They should check their Companies House registration data to ensure that no unauthorized changes have been made. This includes verifying both publicly available and non-public information. Companies should also enhance their security measures to prevent unauthorized access in the future.
Additionally, it is advisable for directors to monitor their financial accounts for any suspicious activity and to be vigilant against phishing attempts that may arise from the leaked information. Companies House must also address the security flaws and implement stricter controls to protect sensitive data moving forward.
Infosecurity Magazine