Significant Security Flaw in UK Companies House Raises Concerns Over Data Exposure
The UK Companies House has recently revealed a substantial security vulnerability within its WebFiling service, which resulted in the exposure of sensitive director information for an extended period. This critical issue came to light amid concerns regarding data protection and the potential implications for corporate privacy.
Chief Executive Andy King confirmed that the security breach originated from a system update implemented in October 2025. This flaw permitted authenticated users to access and, alarmingly, modify private details of other companies without their explicit consent. The gravity of the situation escalated when Companies House discovered the flaw on March 13, 2026. In response, the agency took immediate action by taking the online portal offline to safeguard against any further data exposure.
Following a thorough weekend of independent security testing and system repairs, the platform was re-activated on March 16. This swift response aimed to mitigate the vulnerabilities and reassure stakeholders that the situation was under control.
An In-Depth Look at the Authorization Bypass
The vulnerability in question was categorized as a severe authorization bypass. Notably, it remained shielded from public exposure on the open internet, which offered some layer of protection against widespread exploitation. To exploit this flaw, an attacker would need to be among the registered system users, possessing a valid authentication code. Once authenticated, a series of specific actions could allow for unauthorized access to private corporate records.
The failure in access control was especially troubling; it meant that sensitive personal information like exact dates of birth, residential addresses, and corporate email addresses could be accessed by any logged-in user. Furthermore, beyond mere data exposure, this vulnerability enabled malicious individuals to engage in potentially fraudulent activities, such as submitting unauthorized corporate filings that could include dubious changes to board memberships or falsified financial documents.
Despite the seriousness of the breach, Companies House officials were quick to clarify the limitations surrounding the incident. The design of the vulnerability inherently restricted the possibility of mass data extraction—automated web scraping was off the table. Unauthorized access was confined to a highly impractical method of viewing individual company records, which significantly undermined the potential for widespread data theft.
Additionally, the agency confirmed that critical security protocols remained intact. For instance, user passwords were never compromised, and sensitive identity verification materials—such as scanned passport documents—were completely isolated from the compromised systems. Existing historical documents that had been securely filed could not be altered through this exploit, further safeguarding the integrity of corporate records.
Steps Taken Following the Discovery
In light of the incident, Companies House has initiated an internal investigation and has taken the proactive step of notifying both the Information Commissioner’s Office and the National Cyber Security Centre. Cybersecurity teams are currently undertaking a forensic analysis of system logs to look for any confirmed instances of unauthorized access.
Moreover, the agency is reaching out to all registered corporate entities to inform them of the developments and provide clear guidance on what actions to take. Business owners are encouraged to scrutinize their filing histories and registered details for any inconsistencies. Should any discrepancies arise, they are urged to file an official complaint, accompanied by supporting evidence.
Chief Executive Andy King has issued a formal apology, expressing the agency’s commitment to taking stringent legal actions against any individuals found to have exploited this vulnerability. In a bid to maintain transparency during the ongoing investigative process, Companies House has also pledged to launch a dedicated webpage, designed to answer questions and provide updates as the situation evolves.
This incident has raised serious questions regarding cybersecurity protocols within government services and underscores the critical need for robust data protection measures in an increasingly digital world. As stakeholders await further developments, the focus remains on ensuring that lessons are learned to prevent similar occurrences in the future.