UK Companies House Data Breach: Millions of Firms at Risk
UK Firms on High Alert After Companies House Data Exposure
A security vulnerability in the UK’s official company registry, Companies House, has left millions of firms on high alert. The issue, which was discovered in the WebFiling service, may have exposed sensitive personal data, including dates of birth, residential addresses, and company details.
Vulnerability Details
The vulnerability is believed to have been introduced during an update in October 2025 and was only accessible to users who were logged in with a valid authentication code. However, this did not prevent concerns from being raised, as the flaw exposed non-public data and potentially allowed unauthorized changes to be made to company records.
Discovery and Response
The issue was first identified by John Hewitt of Ghost Mail, a business and personal mailing address service, and later publicized by Dan Neidle of Tax Policy Associates, a research organization focused on tax and corporate transparency. Hewitt discovered that the flaw allowed a user to access another company’s dashboard without authorization by logging into their own account, attempting to file for the other company, and then pressing the back button four times after the authentication prompt.
Companies House has stated that passwords were not compromised, and no identity verification data, such as passport information, was accessed. Additionally, existing filed documents, including accounts and confirmation statements, could not have been altered. The agency believes that any potential access to data would have been limited to individual company records, viewed one at a time.
Investigation and Resolution
The incident has been reported to the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC), and Companies House is conducting ongoing analysis to identify any anomalies. The agency has urged companies to review their accounts and report any suspicious activity.
“We believe that this issue could not have been used to extract data in large volumes or to access records systematically,” said a Companies House spokesperson. “If we find evidence that anyone has used this issue to access or change another company’s details without authorization, we will take firm action.”
Companies House has assured users that the WebFiling service is now back online, and the security issue has been resolved. However, the incident serves as a reminder of the importance of robust security measures to protect sensitive data.
About Author
English