UK Companies House Exposed Details of Millions of Firms

A critical vulnerability has been found in a web application of Companies House, the government agency responsible for maintaining the public register of companies in the United Kingdom. According to Tax Policy Associates, the security hole was discovered by John Hewitt of Ghost Mail on March 12, but it existed for several months before a patch was rolled out. Hewitt found that any logged-in user could access other companies’ accounts on the Companies House platform. The attacker could have gained access to the non-public information of five million registered firms, including directors’ dates of birth, home addresses and email addresses.  In addition, an attacker could have changed a company’s details and could have submitted unauthorized filings. While the vulnerability could only be exploited by an authenticated attacker, conducting an attack would have been easy and required no technical skills.  An attacker only needed to select the ‘file for another company’ option, enter the unique number associated with the targeted company and, when prompted for an authentication code, press the back button a few times. The attacker would then automatically be logged in to the targeted company’s account.  In a statement issued on Monday, Companies House confirmed the security hole, saying it affected its WebFiling service. The flaw was introduced in October 2025 and it was addressed over the weekend after the service was shut down on Friday. “This was not accessible to the general public. Only users with an authorised code and logged in to the service could have performed this action,” the organization said. Companies House clarified that the vulnerability did not expose passwords and information collected during the identity verification process (such as passports). In addition, an attacker could not have made changes to existing filed documents.  “We believe that this issue could not have been used to extract data in large volumes or to access records systematically. Any access would have been limited to individual company records, viewed one at a time by a registered WebFiling user,” the agency clarified. Companies House also noted that while it’s not aware of any instances of data being accessed or changed through the exploitation of this vulnerability, companies should verify their details and filing history and report any concerns.  Related: UK Government Unveils New Cyber Action Plan Related: UK Government Acknowledges It Is Investigating Cyber Incident After Media Reports Related: Reddit Hit With $20 Million UK Data Privacy Fine Over Child Safety Failings WRITTEN BY Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Oracle EBS Hack: Only 4 Corporate Giants Still Silent on Potential Impact Hacking Attempt Reported at Poland’s Nuclear Research Center Loblaw Data Breach Impacts Customer Information Starbucks Data Breach Impacts Employees Iran-Linked Hacker Attack on Stryker Disrupted Manufacturing and Shipping Authorities Disrupt SocksEscort Proxy Service Powered by AVrecon Botnet Apple Updates Legacy iOS Versions to Patch Coruna Exploits Meta Launches New Protection Tools as It Helps Disrupt Scam Centers Latest News Tech Giants Invest $12.5 Million in Open Source Security Surf AI Raises $57 Million for Agentic Security Operations Platform Robotic Surgery Giant Intuitive Discloses Cyberattack 174 Vulnerabilities Targeted by RondoDox Botnet Google, Meta, Microsoft Among Signatories of Pact to Combat Scams Tracebit Raises $20M for Cloud-Native Deception Technology CISA Flags Year-Old Wing FTP Vulnerability as Exploited AI, APIs and DDoS Collide in New Era of Coordinated Cyberattacks Trending Webinar: Securing Fragile OT In An Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Virtual Event: Supply Chain Security And Third-Party Risk Summit March 18, 2026 Join the event where top security experts unpack the biggest software supply chain risks. Register People on the Move Nudge Security has appointed Patrick Dillon as Chief Revenue Officer. Arctic Wolf has named Will May as its Chief Revenue Officer. Palo Alto Networks has named Danielle Gonzalez as its new Chief People Officer. More People On The Move Expert Insights The Human IOC: Why Security Professionals Struggle With Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How To 10x Your Vulnerability Management Program In The Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose A Critical Flaw In Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat As Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How To Eliminate The Technical Debt Of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Email