Skip to content
Tech News
← Back to articles

UK’s Companies House confirms security flaw exposed business data

2026-03-16 | original
read original get Cybersecurity USB Data Block → more articles
Why This Matters

The security flaw at UK’s Companies House exposed sensitive business data of over five million companies for five months, highlighting vulnerabilities in government digital infrastructure. This incident underscores the importance of rigorous cybersecurity measures in protecting critical data and maintaining public trust in digital government services. It serves as a reminder for organizations to prioritize ongoing security assessments and updates to prevent similar breaches.

Key Takeaways

Companies House, a British government agency that operates the registry for all U.K. companies, says its WebFiling service is back online after it was closed on Friday to fix a security flaw that exposed companies' information since October 2025.

Dan Neidle, founder of the non-profit Tax Policy Associates, reported the vulnerability to the U.K. corporate register on Friday after Ghost Mail's John Hewitt (who discovered the flaw) didn't receive a reply.

"All that was required was to log in to Companies House using your own details and access your own company's dashboard. Then opt to "file for another company" and enter the company number for any one of the five million companies registered with Companies House," said Neidle.

"At that point you'd be asked for an authentication code, which of course you don't have. No problem. Press the 'back' key a few times to return to your dashboard. Except – it isn't your dashboard. It's the other company's dashboard."

Neidle added that the flaw exposed the data of five million registered companies for five months, including their management's home and email addresses.

Companies House confirmed the vulnerability on Monday after bringing the filing service back online and said that the issue was introduced when the agency updated its WebFiling systems in October 2025.

The agency said the flaw could've been abused only by logged-in users and would've allowed them to "change some elements of another company's details without their consent." However, it also added that the security issue could only be exploited to steal data and access company records one entry at a time.

"Our investigation has established that specific data from individual companies not normally published on the Companies House register may have been visible to other logged-in WebFiling users," Companies House noted.

"This includes dates of birth, residential addresses and company email addresses. It may also have been possible for unauthorised filings — such as accounts or changes of director — to have been made on another company's record."

As the agency added, no user passwords were compromised, and data used during the identity verification process, such as passport information, was not accessed while the service was vulnerable. Additionally, "no existing filed documents, such as accounts or confirmation statements could have been altered."

... continue reading

Explore topics: companies house webfiling security flaw ghost mail data breach
Related:
CISA flags Wing FTP Server flaw as actively exploited in attacks
Firms urged to check if other users edited their data on Companies House
The Best Dark Web Monitoring Services and Bundles
Identity Theft Protection Services: Do You Actually Need One?
Starbucks discloses data breach affecting hundreds of employees

© 2026 GoKawiil

About | Editorial Policy | Contact