Companies House was forced to temporarily close its online filing service after a glitch allowed users to edit the confidential data of other businesses.
More than five million companies were left vulnerable to potential fraud due to the bug, which left criminals free to change the name, address, email address and full date of birth of company directors.
The glitch also meant that anyone discovering the flaw could have deleted or uploaded fraudulent company accounts for any company registered on the site.
Some of the largest organisations in the UK appear on the official corporate register, including BP, Shell, HSBC, Unilever and Tesco.
Users simply needed to log in to the site and then enter any other company’s number. At that point they would be asked for a code, however this could be bypassed by simply pressing the ‘back’ button on the web browser several times.
After doing that, users found themselves not seeing their own dashboard but rather that of the company they had tried to access.
Even without malicious intent, using a computer to look at data without permission could land someone in prison for up to two years – or five years if the access is gained to commit further offences, such as fraud – under the UK Computer Misuse Act 1990.
Dan Neidle, founder of non-profit Tax Policy Associates, flagged the issue to Companies House, after being tipped off by John Hewitt at corporate services provider Ghost Mail.
Companies House was forced to temporarily close its online filing service after a glitch allowed users to edit the confidential data of other businesses
He said in a post about the incident: ‘There are obvious security and GDPR implications of revealing directors’ home and email addresses for millions of companies.
‘All the more so if nobody knows which companies were impacted by the vulnerability.’
Mr Neidle said the glitch could be ‘very serious’ if it was in place for a long time, adding it was an ‘absolutely insane vulnerability in how easy it is to find’.
He said: ‘People could get enough data about a company and its directors to potentially commit fraud – to pretend to be it.
‘Even worse, they could change the address to their address so they could pick up documents and, if you could file accounts, you could do all kinds of damage.’
Discussing the glitch, Mr Neidle added: ‘If it was only there for 36 hours, then maybe it’s fine.
‘But if it was there for a month or more, it’s very serious.
‘Security researchers say 15 days is the average time it takes for a vulnerability to be exploited, and this was a particularly easy vulnerability with no hacking required.’
A Companies House spokesperson said: ‘We are aware of an issue with our WebFiling service and have closed it while we investigate.
‘We apologise for any inconvenience to our customers.’
In guidance for affected customers, Companies House stated: ‘If you miss your filing deadline due to the service being unavailable, there’s no need to call us.
‘File as soon as you can once the service is available, and take a screenshot of any error messages and note the time and date. We’ll take this evidence into account if you cannot file.’
Daily Mail has contacted Companies House for comment.
