- Companies House closes WebFiling after misconfiguration
- Logged in users can view or edit other companies’ data
- Sensitive details such as dates of birth and addresses briefly exposed, now fixed
Companies House, the UK’s official business registration office, was leaking sensitive company data to unauthorized third parties. The discovery of the vulnerability forced it to shut down one of its services over the weekend while it investigated and fixed the problem.
In a press release issued earlier this morning, Companies House CEO Andy King said the organization spotted a misconfiguration on Friday afternoon, “which meant that a user logged into our WebFiling service could potentially access and modify certain elements of another company’s information without their consent after completing a specific set of actions.”
WebFiling is a service that allows organizations to submit official documents electronically.
Article continues below
Expose sensitive data
Although the bug was not accessible to anyone other than users logged in with an authorized code, Companies House shut down the service and worked to resolve it. “The service has been independently tested and is back online on Monday, March 16 at 9 a.m.,” the announcement said.
However, during the investigation the organization discovered that some company data “not normally published on the Companies House register” may have been visible to other users logged into WebFiling, including dates of birth, residential addresses or company email addresses. Malicious actors could have modified other companies’ data, such as account or administrator data.
But the CEO says stealing this data would be very difficult, because attackers would have to look at one company at a time. That being said, he confirmed that passwords had not been compromised, data needed for identity verification had not been accessed, and existing documents had not been tampered with.
Although the attack appears lukewarm, Companies House has still asked all organizations to check their registered information and filing history, and to contact them if there are any concerns.
The CEO ended the announcement with an apology, saying Companies House takes its responsibility to protect data “extremely seriously”.
Via Financial Times
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
