The new Companies House website puts company directors at increased risk of spear phishing

Personal information about company directors is now free to download, so why haven't they been informed?

A publicly accessible trial version of the Companies House website reveals personal details of company directors such as date of birth, signature and home address, potentially making them targets for identity theft and phishing.

The beta version of the UK company registrar's website of companies has been live since June 2015. It allows anyone to download PDFs of annual returns, accounts and other records going back many years. There are 170 million such documents, many containing personal information about company directors and secretaries such as service addresses, which are the same as their home addresses in some cases, dates of birth, signatures and other details.

While these records were already accessible prior to the release of the beta website, this access was not free; it was necessary to register with Companies House and pay a fee in order to view them.

The goal of increasing public access to information held by Companies House is laudable. The public should be able to trace the activities of company officials, without having to pay for the privilege. This is important for commercial investment and partnership decisions and also for the prevention of fraud. However, the risks in doing so need to be thought through.

"Previously the person accessing it would have to give up their details to obtain the information, which at least mitigated the issue," said privacy advocate and co-founder of Krowdthink Ltd Geoff Revill, who alerted Computing to the matter.

"Now anyone anywhere can obtain this information to gain trust, which is perfect for attacks that use social engineering and spear phishing."

As its Personal Information Charter makes clear, Companies House is obliged to make information on company officers public under the Companies Act 2006. This information may include name, address, occupation, nationality and date of birth.

Statutory information for live companies is kept indefinitely, and Companies House publishes statutory information for dissolved companies for 20 years after they are wound up, whereupon they are placed in the National Archive. Because of the statutory duty to publish, the Data Protection Act does not apply in this case.

A small amendment was made to the underlying legislation (the Companies Act 2006) such that the Registrar is now only obliged to publish the birth year and month of company officers rather than the full date. However, documents registered prior to the new law coming into force on 10 October 2015 will continue to display the full date of birth as this ruling will not be applied retrospectively, presumably because it would be expensive to redact that information.

The fact that no effort appears to have been made to alert company officers about the changes speaks of a lack of joined-up thinking in government about the pace of technological change and the risks to security.

Spear-phishing attacks targeting company officials are growing in both volume and sophistication. In the past, when access to this information was gated, it would have generally been uneconomic for criminals to bulk-download personally identifiable information (PII) on directors from Companies House. Now that the barrier has been lifted, the government should publicly advise directors of that fact at the very least.

"It's strange that while directors are personally liable for a company's actions, it now seems they need to be aware their personal details become public," Revill said.

"I agree that the information should be public but [the amendment to the Companies Act 2006] seems to have been written with limited comprehension of the digital context for publication and without recognising that the change massively increases the threat concerns for the companies and individuals."

Commenting on the issue of obligation to publish, Christopher Coughlan, associate at law firm Ashfords LLP, said the issue is not clear cut.

"Whilst Companies House has a statutory duty to publish certain information about company directors, it also has a duty as a data controller to process personal data in accordance with the Data Protection Act 1998 (DPA)," he said.

"It is correct that Companies House relies on the 'publicly available information' exemption under the DPA to publish this information, but that exemption only relieves Companies House from some of its obligations in respect of that information," said Coughlan.

"By making this information about directors available online, without a requirement for individuals to even log in or provide their details to Companies House, there is an increased risk that those directors will be subject to cyber attacks especially those individuals whose full dates of birth will appear online.

"It remains to be seen whether the Information Commissioner views Companies House's failure to redact the full dates of birth for those directors that predate the new legislation as a failure to fully to comply with their data protection obligations."

Computing has contacted Companies House for comment.

This article was amended to include Christopher Coughlan's comments.

Computing's Enterprise Security & Risk Management Summit returns on 24 November. Entrance is FREE to qualifying IT leaders and computing professionals, but places are going fast, so register now.