- Companies House shuts down WebFiling after misconfiguration found
- Logged-in users could see or change other companies’ data
- Sensitive details like DOBs and addresses briefly exposed, now fixed
Companies House, the official government registrar of companies in the United Kingdom, leaked sensitive company data to unauthorized third parties. The discovery of the vulnerability forced it to shut down one of its services over the weekend as it investigated and addressed the issue.
In a press release published earlier this morning, Companies House CEO Andy King said the organization discovered a misconfiguration on Friday afternoon “which meant that a logged-in user of our WebFiling service could potentially access and change some elements of another company’s details without their consent after performing a specific set of actions.”
WebFiling is a service that allows organizations to submit official documents electronically.
The article continues below
Exposure of sensitive data
Despite the bug not being accessible to anyone other than logged in users with an authorized code, Companies House shut down the service and worked to fix it. “The service has been independently tested and will be back online from 9am on Monday 16 March,” the statement read.
But during the investigation, the organization found that some company data “not normally published in the Companies House registry” may have been visible to other logged-in WebFiling users, including dates of birth, residential addresses or company email addresses. Malicious actors could have changed other companies’ data, such as those on accounts or directors.
But the CEO says it would be very difficult to steal this data, as attackers would have to see one company at a time. That said, he confirmed that passwords were not compromised, that no data was accessed for ID verification, and that existing archived documents were not tampered with.
Despite the attack sounding lukewarm, Companies House still asked all organizations to check their registered details and filing history and contact them if there are any concerns.
The chief executive ended the announcement with an apology, saying that Companies House takes its responsibility to protect data “extremely seriously”.
Via Financial Times
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
