UK’s Companies House WebFiling Security Flaw Exposes Director Data for Five Months
In a significant cybersecurity incident, the UK’s Companies House, the official registrar of businesses, has disclosed a security vulnerability in its WebFiling service that exposed sensitive director information and potentially allowed unauthorized modifications to company records over a five-month period.
Andy King, Chief Executive of Companies House, announced the breach on March 16, 2026. The agency took immediate action by taking the WebFiling system offline on March 13 upon discovering the flaw. After conducting independent testing and implementing necessary patches, the service was reinstated on March 16.
Details of the WebFiling Flaw
The vulnerability resembled an Insecure Direct Object Reference (IDOR) flaw, enabling authenticated WebFiling users to access and modify other companies’ profiles without proper authorization. Exploitation required an active login with a valid authentication code, limiting access to registered users. Notably, the flaw could not be automated to extract large volumes of data; unauthorized access was restricted to individual records.
An internal investigation revealed that the security gap was inadvertently introduced during a system update in October 2025, leaving the vulnerability unaddressed for five months.
Exposed Information and Potential Risks
The breach compromised private data typically concealed from the public register, including:
– Dates of birth for company directors
– Private residential addresses
– Registered company email addresses
Beyond data exposure, the flaw may have permitted unauthorized users to submit fraudulent filings, such as altering director details or filing false accounts on behalf of other businesses.
Companies House assured that certain highly sensitive information remained secure; passwords and identity verification documents, like passport details, were not compromised. Additionally, previously filed official documents could not be altered through this vulnerability.
Incident Response and Mitigation Measures
Upon identifying the breach, Companies House promptly reported the incident to the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC). The agency is currently analyzing internal data logs to detect any unauthorized access or fraudulent changes made during the exposure period.
While no confirmed reports of malicious exploitation have surfaced, Companies House has warned of strict actions against any misuse of the system.
The agency is reaching out to all registered businesses via email to explain the incident and recommend security checks. Organizations are urged to log into their accounts immediately to review registered details and filing histories for any unauthorized changes. If suspicious activity or incorrect data is detected, businesses should file an official complaint with Companies House, providing evidence of the unauthorized changes.
To address further concerns, Companies House plans to publish a detailed FAQ page for business owners and cybersecurity professionals.
