Companies House has been criticised for publishing highly personal information on its website that could be used in spear phishing campaigns or other forms of fraud.
The publicly accessible trial version of the new website includes easy access to company directors' personal details, such as date of birth, signature and home address, potentially making them targets for identity theft and phishing.
The beta version of the Companies House website has been live since June 2015. It allows anyone to download PDFs of annual returns, accounts and other records going back many years.
There are 170 million such documents, many containing personal information about company directors and secretaries, such as service addresses, which are the same as their home addresses in some cases, dates of birth, signatures and other details.
These records were already accessible prior to the release of the beta website, but it was necessary to register with Companies House and pay a fee to view them.
The goal of increasing public access to information held by Companies House is laudable, as the public should be able to trace the activities of company officials without having to pay for the privilege.
This is important for commercial investment and partnership decisions and for the prevention of fraud, but the risks in doing so need to be thought through.
"Previously the person accessing it would have to give up their details to obtain the information, which at least mitigated the issue," said Geoff Revill, privacy advocate and co-founder of Krowdthink, who alerted V3 sister site Computing to the matter.
"Now anyone anywhere can obtain this information to gain trust, which is perfect for attacks that use social engineering and spear phishing."
The Companies House Personal Information Charter makes it clear that the organisation is obliged to make information on company officers public under the Companies Act 2006. This information may include name, address, occupation, nationality and date of birth.
Statutory information for live companies is kept indefinitely, and Companies House publishes statutory information for dissolved companies for 20 years after they are wound up, whereupon they are placed in the National Archive. The statutory duty to publish means that the Data Protection Act does not apply in this case.
A small amendment was made to the Companies Act 2006 such that the Registrar is now obliged to publish only the birth year and month of company officers rather than the full date.
However, documents registered prior to the change on 10 October 2015 will continue to display the full date of birth as this ruling will not be applied retrospectively, presumably because it would be expensive to redact that information.
The fact that no effort appears to have been made to alert company officers about the changes speaks of a lack of joined-up thinking in government about the pace of technological change and the risks to security.
Spear phishing attacks targeting company officials are growing in volume and sophistication. Access to this information was gated in the past, making it generally uneconomic for criminals to bulk download personally identifiable information on directors from Companies House.
Now that the barrier has been lifted, the government should publicly advise directors of that fact at the very least.
"It's strange that, while directors are personally liable for a company's actions, it now seems they need to be aware that their personal details become public," Revill said.
"I agree that the information should be public but [the amendment to the Companies Act 2006] seems to have been written with limited comprehension of the digital context for publication and without recognising that the change massively increases the threat concerns for the companies and individuals."
Christopher Coughlan, an associate at law firm Ashfords LLP, suggested that the issue of obligation to publish is not clear cut.
"Whilst Companies House has a statutory duty to publish certain information about company directors, it also has a duty as a data controller to process personal data in accordance with the Data Protection Act [DPA] 1998," he said.
"It is correct that Companies House relies on the 'publicly available information' exemption under the DPA to publish this information, but that exemption only relieves Companies House from some of its obligations in respect of that information.
"By making this information about directors available online, without a requirement for individuals to even log-in or provide their details to Companies House, there is an increased risk that those directors will be subject to cyber attacks, especially those individuals whose full dates of birth will appear online.
"It remains to be seen whether the information commissioner views Companies House's failure to redact the full dates of birth for those directors that predate the new legislation as a failure fully to comply with their data protection obligations."
V3 has contacted Companies House for comment.
Computing's Enterprise Security & Risk Management Summit returns on 24 November. Entrance is FREE to qualifying IT leaders and computing professionals, but places are going fast, so register now.
Curiosity rover is in 'normal mode' but not transmitting scientific data back to base
NatWest outage comes a day after Barclays' IT systems shut out customers and staff
The ICO is concerned with AggregateIQ's retention and processing of data used in the Brexit referendum
Map selection, quick menus for grenades and healing items, and automatic reload all coming in PUBG update #22