Security Breach at UK Companies House Exposes Sensitive Business Data

Companies House WebFiling Service Restored After Security Flaw Exposed Data

Companies House, a crucial British government agency responsible for managing the registry of all U.K. companies, has announced the reactivation of its WebFiling service. The service was temporarily shut down on Friday to address a security vulnerability that had been exposing companies’ information since October 2025.

An alert regarding the security flaw was raised by Dan Neidle, the founder of the non-profit organization Tax Policy Associates. Neidle took action after John Hewitt from Ghost Mail, who initially discovered the flaw, did not receive a response.

According to Neidle, the vulnerability allowed unauthorized access to the dashboards of the five million companies registered with Companies House. By simply logging in with personal details and selecting the option to “file for another company” using the target company’s number, users could gain access to sensitive company information.

The flaw, present for five months, exposed data including home and email addresses of management personnel from the registered companies.

Companies House acknowledged the security breach on Monday after restoring the WebFiling service and attributed the issue to an update in October 2025 that introduced the vulnerability.

The agency clarified that the flaw could only be exploited by logged-in users and would allow them to modify certain details of another company without authorization. However, the breach could only be utilized to access data and records on a single entry basis.

“Our investigation has revealed that certain non-public data of individual companies that are not typically disclosed on the Companies House register may have been visible to other users logged into WebFiling,” Companies House stated.

“This may include personal information such as dates of birth, residential addresses, and company email addresses. Unauthorized filings, such as accounts or changes in directorship, could have been potentially made on another company’s record.”

The agency confirmed that no user passwords were compromised, and information used for identity verification, like passport details, remained secure during the vulnerability period. Additionally, “no previously filed documents, such as accounts or confirmation statements, could have been tampered with.”

Companies House has reported the incident to the U.K. Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC) for further investigation. They are assessing whether the vulnerability was exploited to access or alter any company’s information.

“At this stage, we have not received any reports of unauthorized access or alterations to data,” Companies House assured in their statement. “Nevertheless, our investigation is ongoing, and we are committed to transparency throughout the process.”

Malware tactics are evolving. The Red Report 2026 delves into how new threats utilize advanced techniques to evade detection and remain undetected.

Explore our analysis of 1.1 million malicious samples to uncover the top 10 strategies and evaluate the effectiveness of your security measures.

Download The Report