Corporate ID theft has become a large topic in the USA recently. IT World published an article about two American lawyers who exploited the online filing system to steal dormant companies. These lawyers reinstated the companies and then either took out loans on their account or sold shares. The estimated damage is $100 million.
What about Companies House in the UK? Is it more secure than US filing systems? It turns out that it uses post instead of email for companies’ passwords. But it will send you the current password in plaintext.
Read about reasons why passwords should always be stored cryptographically protected.
Companies today are obliged to register and make pretty much all changes to their status online. The problem this causes is twofold:
- These company-wide accounts are protected by just a password.
- The accounts are checked infrequently: for many companies, statutory obligations are usually only once a year and there is not much else to do.
In the UK, Companies House requires 2 passwords. The first one is per user – the same across all companies you own or have an online account for. The other password is per company. This second password is sent to the company’s registered address by post. If this password is lost or forgotten there is no way to get it online, only resent by post – which is good. What is not so good is that the password is not reset if this happens. In order for Companies House to be able to send out a reminder of the password without resetting it, the password must be stored in plaintext on a server somewhere. This means it is vulnerable to hackers (see a recent Tesco story).
So what is it possible to do if you gained unauthorised access to Companies House online? You could change the company’s address, add and remove directors and secretaries, or change the share distribution or ownership. The company has to keep its own records too, but it is fairly easy to see how a fraudster could do much the same as those American lawyers without too much effort.
Tesco very quickly fixed their system following publication of the vulnerability. I wonder whether Companies House, who keeps rather more valuable information safe than the contents of our last grocery shop, will be as quick to respond.