Companies House, the UK’s business registrar, has successfully rebooted its online WebFiling service after it emerged that a previously-unknown cyber security issue exposed various data on companies and people associated with them to other logged-in users.
The flaw – which appears to have arisen during a WebFiling update last year – was never accessible to the general public and only logged-in users in possession of an authorised code could have exploited it, Companies House pulled WebFiling offline at lunchtime on Friday 13 March in order to investigate and remediate.
Companies House found the data exposed included dates of birth, residential addresses and company addresses. It also discovered that it may have been possible for people to make unauthorised actions – such as changing directors or even filing accounts.
It stressed that no credentials or data used for identity verification such as passport information, and neither could any existing filed documents have been altered.
Companies House chief executive Andy King said: “We are asking all companies to check their registered details and filing history to make sure everything appears correct. If a company has a concern, please raise a complaint and include evidence to describe the concern.
“I recognise that this incident will have caused concern and inconvenience to many of the companies and individuals who rely on our services. I am sorry for that.
“Companies House takes its responsibility to protect the data entrusted to us extremely seriously. We have taken swift action to secure and restore our service, and are committed to doing everything in our power to support those affected and to making sure that our services continue to merit the trust placed in them,” said King.
The incident has been reported to both the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC). King said that the registrar was still actively analysing its data to try to identify any anomalies. He added: “If we find evidence that anyone has used this issue to access or change another company’s details without authorisation, we will take firm action.”
Simple vulnerability
The issue was first reported to Companies House by Dan Neidle, of non-profit thinktank Tax Policy Associates, on behalf of John Hewitt, operations director at Ghost Mail, a provider of mailing address services.
Writing online Neidle said the vulnerability was “incredibly simple” to exploit. All a logged-in user needed to do was click through the ‘file for another company’ option – which would usually prompt for an authentication code to stop unauthorised access. However, if the logged-in user hit their backspace key a few times they would be sent back not to their own dashboard, but to the ‘target’ company’s.
Neidle said that the two men were able to use the vulnerability to view the private dashboard of another individual – with permission from them – and to successfully modify his own registered address at Companies House. “I was incredulous at what John showed me,” he said.
Was the bug exploited?
It is unclear if the bug was ever exploited, but in Companies House’s view it was also highly unlikely that any systematic access to company records or large-scale data exfiltration took place because any access that did occur would have been limited to individual company records, viewed one at a time, by a registered user.
Neidle noted that the flaw had been live and exploitable since October 2025, which meant there is a distinct policy that it was discovered by a threat actor. He said that if this had been the case, it was likely used “carefully, selectively and for profit” because broad exploitation would have been swiftly discovered.
William Wright, CEO of Closed Door Security, said the ability to access and edit company details presented a huge amount of leeway for both explicit and subtle fraud, and had caused serious uncertainty around a system used by the vast majority of UK companies.
“Company directors and C-suite are already lucrative targets for phishing and fraudsters: these individuals typically have privileged access in company systems and are privy to sensitive and valuable information,” said Wright.
“Being able to acquire details like home addresses, etc. makes targeted attacks like spear phishing against these individuals far more viable and increases the potential for many other kinds of fraud and targeted harassment. This is to mention nothing of the GDPR implications were information to be exposed.”
He continued: “That companies’ registration details could also be modified presents obvious problems. Companies can be penalised in various ways for providing inaccurate information when filing, and this can lead in some instances to serious accusations of fraud. The fact details could be modified by anyone without authorisation could raise serious problems for future investigations, especially if there’s any suspicion of tampering.”
Wright added that the length of time for which the flaw went undetected also raises more serious questions for Companies House as it suggests the body tasked with providing the public with an single, transparent source of accurate information on British businesses, lacked appropriate auditing, logging or testing procedures that might have spotted it sooner, and without outside help.
“If the government and Companies House’s current security testing processes were fit for purpose, flaws like this should not have occurred,” said Wright. “Given that many companies are required by law to use these services, basic testing and data protection are absolutely critical, especially if the government wants to retain its credibility with the business community.”
