Directory Traversal Flaw Found in Companies House
A significant security issue has emerged within the British government’s company register service, known as Companies House. Due to the discovery of a critical vulnerability that could expose sensitive personal data of company directors, the online filing service has been temporarily suspended. This vulnerability raised alarms as it potentially allowed unauthorized users not only to view private information, but also to amend company records and submit fraudulent accounts.
The incident, which has captured the attention of the Information Commissioner’s Office (ICO), was confirmed by the privacy regulator on March 16, 2026. The ICO has since initiated an investigation into the situation. While the agency has stated that there is currently no evidence indicating that the vulnerability was exploited for malicious purposes, the flaw has reportedly existed for approximately five months. Officials have urged company directors across the United Kingdom to verify the accuracy of their details on the Companies House platform promptly.
The flaw was originally identified by John Hewitt, the operations director at the corporate services firm Ghost Mail. After discovering the issue, Hewitt notified tax lawyer Dan Neidle, the founder of the nonprofit organization Tax Policy Associates, who subsequently informed Companies House of the vulnerability. Neidle also shared the details with the public through a blog post, shedding light on the seriousness of the situation.
In his post, Neidle elaborated on the demonstration provided by Hewitt, which showed how he could access another company’s private dashboard on Companies House. The information exposed included critical data not typically accessible to the public, such as full names, email addresses, and birthdates of company directors. This kind of sensitive data can serve as a foundation for fraudulent activities, including impersonation, phishing attacks, and social engineering schemes aimed particularly at directors of smaller companies. In contrast, many larger corporations have security measures in place that prevent unauthorized transactions conducted by a single individual.
Neidle noted that the exploit could be carried out with minimal technical proficiency. To access another company’s dashboard, an individual simply needed to log in using their credentials, select the option to “file for another company,” and input any registered company number from the five million entities listed with Companies House. Although an authentication code would be required— which the user would not possess—Neidle detailed a backdoor to reach another company’s dashboard simply by pressing the back button multiple times.
Following the public disclosure of the flaw, Companies House CEO Andy King released an apologetic statement about the incident. He announced that the agency had promptly deactivated its WebFiling system on Friday afternoon and subsequently reopened it the following Monday after addressing the flaw and ensuring the solution underwent independent testing. King revealed that the vulnerability may have originated from a system update implemented in October 2025.
According to King, the investigation confirmed that specific data from individual companies, which typically aren’t published on the Companies House register, may have been visible to other logged-in users of the WebFiling platform. This included sensitive items such as directors’ birthdays, residential addresses, and company email addresses. Furthermore, it could potentially allow for unauthorized filings, including misrepresentations of company accounts or changes to directors’ details.
The CEO also emphasized that the vulnerability would not have led to mass data extraction or systematic access to records; any exposure would have been limited to individual companies’ information accessed sequentially by logged-in users.
Companies House has reported the issue to both the ICO and the National Cyber Security Centre. The ICO acknowledged receipt of the report and is currently evaluating the shared information. As a precautionary measure, business owners are advised to routinely check for updates from Companies House and to heed any guidance provided.
In his statement, King stressed the importance of company directors reviewing their registered details and filing history to ensure everything appears accurate. Should any discrepancies arise, they are encouraged to report such concerns to the agency along with evidence. King assured the public that if any evidence of unauthorized access or alterations to company information comes to light, Companies House would act decisively to address the situation.