Email to registered companies about the WebFiling security issue(www.gov.uk)
2 pointsby sarusso5 hours ago1 comment
  • sarusso5 hours ago
    "Our investigation found that it was technically possible for a logged-in registered user to:

    1. See certain data not normally published on the public register:

    - the day of the date of birth for directors and PSCs

    - residential address for directors and PSCs

    - company registered email address

    2. File updates to any information without consent. For example, new accounts or changes of director."

    • chrisjj5 hours ago
      Only technically possible, so not so bad. /i

      And more weasel words at:

      The issue could only have been exploited by a logged-in user performing a specific set of actions.

      At this stage, we have no confirmed reports of any data having been accessed or changed without permission, and we believe the issue could not have been used to extract data in large volumes.

      • sarusso5 hours ago
        The "specific set of actions" is so vague that could range from just opening a specific company page and clicking on a button to performing a complex chain of steps.

        This said, it's not that bad, that's true. But the idea of having the personal residential address exposed is not great either.

        • chrisjj3 hours ago
          That vagueness is clearly designed to disguise the truth, being "going to his own company's dashboard and trying to view another which he didn't own and pressing the back key four times" https://www.bbc.co.uk/news/articles/c5y41p0dy1wo

          As for the the personal residential address exposure, it is a huge breach. This website keeps certain Directors' private info private for very good reason. I look forward to the regulators, ICO, imposing an appropriately huge fine.

          And just love the "if we find evidence that anyone has accessed or changed another company’s details without authorisation, we will take firm action." Firm action internally, right? Right?

    • beardyw4 hours ago
      If I remember right, date of birth and address used to be right there on the company page. Led to credit being taken out in my name, which luckily got picked up.