Companies House Security Flaw Exposes Private Data of UK Business Directors A critical vulnerability in the UK’s Companies House WebFiling system exposed sensitive details of directors at millions of registered businesses, including AstraZeneca, Shell, and Tesco. The flaw, discovered last Friday, forced the agency to temporarily shut down its online filing service before restoring it on Monday morning. The bug allowed logged-in users to access confidential data such as dates of birth and residential addresses of key personnel from the 5 million companies on the register. More alarmingly, it permitted unauthorized changes to directors’ contact details, including addresses and emails, without consent. Security researcher John Hewitt of Ghost Mail identified the issue, which could be triggered by pressing the back button four times while viewing a company’s profile. An internal investigation traced the vulnerability to a system update implemented in October 2023. Companies House CEO Andy King confirmed that no evidence of unauthorized data access or alterations has been found, though the review remains ongoing. The agency has urged businesses to verify their registered details for accuracy. The incident is now under scrutiny by the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC). Companies House has advised affected businesses to file complaints if they suspect any misuse of their data.

UK Food Logistics Firm Hit by Ransomware, Disrupting Major Supermarket Supply Chains A ransomware attack on Peter Green Chilled, a key logistics provider for major UK supermarkets, has disrupted order processing for retailers including Tesco, Sainsbury’s, Asda, Waitrose, Co-op, Morrisons, M&S, and Aldi. The incident, which occurred last Wednesday, forced the Somerset-based company to suspend order handling on Thursday, though transport operations remained unaffected. Managing Director Tom Binks confirmed the attack in an email, stating that the firm was implementing workarounds to maintain deliveries while providing regular updates to clients. While existing schedules have largely held, concerns persist among suppliers of perishable goods over potential waste due to delays. This attack follows a recent surge in ransomware incidents targeting the UK retail sector, with Marks & Spencer, Co-op, and Harrods all experiencing disruptions in recent weeks. Phil Pluck, CEO of the Cold Chain Federation, noted a sharp rise in such attacks on food distribution networks, often unreported due to reputational risks. The cold chain sector’s tight timelines and high-volume perishable goods make it a lucrative target for cybercriminals. Security experts warn that supply chain vulnerabilities amplify the impact of such breaches. Richard Orange of Abnormal AI highlighted the risk of follow-on attacks, including vendor email compromise, where attackers impersonate suppliers to steal credentials or redirect payments. Meanwhile, Andy Norton of Armis reported that 41% of retailers have faced increased cyber threats in the past six months, with no signs of slowing. Peter Green Chilled has not yet provided further comment on the incident. A previous reference to Lidl as a client was retracted after the supermarket confirmed it no longer uses the firm’s services.

UK Food Distributor Hit by Ransomware Attack, Disrupting Supermarket Supply Chains A ransomware attack has crippled Peter Green Chilled, a Somerset-based food distributor supplying major UK supermarkets, including Tesco and Aldi. The incident, which struck last week, left the company unable to process fresh orders on Thursday, though transport operations remained unaffected, according to managing director Tom Binks. The attack follows a surge in cyber incidents targeting the retail and food sectors, with Marks & Spencer and the Co-op also recently impacted. Ransomware typically involves hackers encrypting critical data and demanding payment often in cryptocurrency for its release. While Peter Green Chilled has provided clients with updates and workarounds, the disruption has had tangible consequences. Supplier Wilfred Emmanuel-Jones of The Black Farmer reported that around 10 pallets of meat products were stranded, risking spoilage as delays mounted. Cybersecurity experts warn that such attacks extend beyond digital breaches, directly disrupting physical supply chains. Tim Grieveson of ThingsRecon noted that even brief interruptions in logistics or warehouse systems can be devastating for perishable goods. The incident underscores the growing vulnerability of food distribution networks to cyber threats, with smaller suppliers increasingly in the crosshairs. Peter Green Chilled has not disclosed whether a ransom was paid or the full extent of the operational impact.

Tesco’s website and app was targeted by cyber attack in October 2021. Their online grocery store website and app were interrupted. There have been issues with the site's search feature as a result of an attempt to meddle with their systems. They apologise for the inconvenience and worked very hard to fully restore all services.

Tesco is suing Broadcom and VMware reseller Computacenter for £100 million in damages after Broadcom terminated perpetual license support for VMware’s vSphere Foundation and Cloud Foundation, which Tesco had purchased in 2021 with a five-year support agreement (until 2026) and an optional four-year extension. The abrupt shift to subscription-based pricing forced Tesco to face 'excessive and inflated prices' for virtualization software it had already paid for. The lawsuit highlights severe operational risks, as VMware’s software underpins ~40,000 server workloads—including critical systems like store tills and supply chain operations. Failure to resolve the dispute could disrupt Tesco’s grocery supply chains across the UK and Ireland, potentially leading to widespread operational outages, financial losses, and reputational damage. Replacing VMware entirely would also be costly and high-risk, compounding the threat to Tesco’s business continuity. The case reflects broader industry backlash against Broadcom’s pricing model, with other major firms like AT&T and Siemens filing similar lawsuits.

Tesco experienced a data security incident on March 2020. A database of stolen usernames and passwords from other platforms had been tried out on its websites. No financial data was accessed and its systems have not been hacked. Tesco issued new cards to 600,000 Clubcard account holders after unearthing a security issue.

Tesco service is run by currency giant Travelex for orders made over the telephone and online. It confirmed that 17,000 Tesco Travel Money customers have had personal information stolen, including full names and addresses. The compromise also includes e-mails sent from staff to customers, and internally. Those who have purchased their currency online or over the telephone at Tesco to collect in the branch or delivered at home could have been hit. No financial information has been disclosed. It is investigating how the data breach happened.

Tesco had to deactivate some customers' net accounts after their login names and passwords were shared online. The list of more than 2,000 Tesco.com accounts was posted to a popular text-sharing site. After knowing about the incident, Tesco immediately investigated the incident and notified all customers who were affected.