I want to use these blogs to explain some real-life case studies to illustrate some of the dangers (but also provide some reassurance) as to what to expect if your name or address gets used in the formation of a new company.
Of course, I will not include any personally identifiable information, as this would go against everything RA247 was set up to counteract but, even so, these explanations will go a long way to explain why these things happen, the potential cost to the economy and existing businesses but also to individual’s stress and confidence levels.
Our first case study is, fortunately, quite a rare event.
It started with the hack of at least two (and possibly more) Human Resource databases, which included names, addresses and other personally identifying information (like National Insurance numbers etc).
This information was then used to start creating companies.
At this point it is important to understand the overall filing requirements for new companies versus what appears on that company’s public record at Companies House
When you start a company, you need to provide several pieces of information, including the registered address of the company, your normal residential address and a director’s correspondence address. Only the registered address and correspondence address will appear on the public register.
Of course, if you provide your normal residential address as the registered address and/or your director’s correspondence address, it will be exposed for all the world to see.
For these reasons, lots of people use a separate correspondence address, to prevent their personal address becoming public.
However, if you want to open a bank account, the bank will need to know your personal address in order to perform the necessary checks.
This is where it gets complicated.
The people who stole the data will undoubtedly want to try and open bank accounts, but will not want you to receive the post, necessarily (otherwise you might work out what is going on and stop them).
So, they will register the business to a “dummy” or “safe” address, and also use it as the director’s correspondence address, while using the stole data subject’s real address as the “normal residential address” on the application forms.
That way, they don’t risk being spotted too quickly, but they have increased the possibility of gaining access to banking, as the underlying details will be correct.
How do you choose a “dummy” or “safe” address?
In the case of this network, they hit upon the idea of registering the companies to empty shops. There are several internet sites that aggregate commercial premises to let, making it very straightforward to harvest the addresses to one database.
Because Companies House send out letters to both the registered address and the director’s correspondence address, posting them through the letterbox of an empty shop means there is likely to be a considerable delay before anyone suspects something is wrong.
And that delay is probably long enough to gain access to banking and the potential for a business loan or overdraft, and then disappear.
Lots of banks, when a company applies for an account, will check the company actually exists, and then run what’s known as an electronic identity check (usually through a third-party reference agency such as Experian or Equifax) on the underlying director.
If that person’s details (including name, address, NI number, voter’s roll entry etc) match what is on their database, the whole process can be approved electronically, without any human intervention.
The danger now is that, following default of any loans or overdrafts, that default could be registered against the unwitting provider of the stolen details.
So, what happened in the case of the network we identified?
Over the course of about six months, we saw more than 1,500 companies being created. We rapidly established that the source of most of the names being used resolved to just two companies (I won’t name them for obvious reasons) where the people were either current or former employees.
We worked with two different sets of lawyers acting for the two companies, which had both become aware of the data breach, to identify as many affected individuals as possible.
Up to that point, they had only become aware they were affected when correspondence started to arrive (presumably from the banks or other credit institutions which had received bank account applications, given that their real addresses did not appear on the public register).
And, of course, it took a while for them to realise that other colleagues had also been affected.
Ultimately, the firm’s concerned applied to the courts for a general court order, requiring Companies House to remove all of their past and present employee’s details from the public record, but this is a slow, time consuming and expensive process, even for large firms.
And it is only a small compensation for the stress these individuals had to go through.
Ultimately, reform of Companies House (currently before parliament) will get rid of this problem but, in the meantime, the earliest possible warning of a potential problem is the best available defence.
Not only will we warn you that your name and/or address has appeared on the register, but you will get from us a comprehensive guide as to what this means and, more importantly, what to do next.