UK’s Companies House WebFiling Flaw Exposed Private Director Data for Five Months

Home Cyber Security News UK’s Companies House WebFiling Flaw Exposed Private Director Data for Five Months UK’s Companies House, the government’s official register of businesses, has revealed a significant security flaw in its WebFiling service. The vulnerability exposed sensitive director data and potentially allowed unauthorized changes to company records for roughly five months. Andy King, Chief Executive of Companies House, confirmed the incident in a public statement on March 16, 2026. The agency took the WebFiling system offline on Friday, March 13, after discovering the flaw. The service was brought back online the following Monday after undergoing independent testing and patching. Companies House WebFiling Flaw The security issue functioned similarly to an Insecure Direct Object Reference (IDOR) flaw. It allowed a logged-in WebFiling user to access and modify elements of another company’s profile without permission by performing a specific sequence of actions. This exploit was not available to the general public. To exploit the flaw, an attacker needed to be actively logged in to the WebFiling service with an authorized authentication code. Furthermore, Companies House noted that the vulnerability could not be automated to extract large volumes of data systematically. Threat actors could only view or alter records one at a time. According to the agency’s internal investigation, the security gap was accidentally introduced during a WebFiling system update in October 2025. This means the vulnerability was active for five months before being discovered and resolved. The vulnerability compromised private information that is normally hidden from the public Companies House register. The exposed data included: Dates of birth for company directors Private residential addresses Registered company email addresses In addition to data exposure, the flaw may have allowed unauthorized users to submit fraudulent filings. This means an attacker could have modified director details or filed bogus accounts on behalf of another business. Companies House clarified that certain highly sensitive information remained completely secure. Passwords were not compromised, and identity verification documents, such as passport details, were not accessed. Previously filed official documents also could not be altered through this vulnerability. Incident Response and Mitigation Upon discovering the breach, Companies House immediately reported the incident to the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC). The agency is currently analyzing its internal data logs to identify any unauthorized access or fraudulent changes made during the five-month exposure window. While there are no confirmed reports of malicious exploitation yet, Companies House warned that it will take strict action against anyone found abusing the system. Companies House is emailing all registered businesses to explain the incident and outline necessary security checks. According to the UK government, organizations are urged to log into their accounts immediately to review their registered details and filing history for any unauthorized changes. If a business spots suspicious activity or incorrect data, it should raise an official complaint with Companies House and provide evidence of the unauthorized changes. The agency has promised to publish a detailed FAQ page soon to address further concerns from business owners and cybersecurity professionals. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News Angular XSS Vulnerability Exposes Thousands of web Applications to XSS Attacks Cyber Security News CISA Warns of Wing FTP Server Vulnerability Exploited in Attacks Cyber Security News 6 Malicious Packagist Themes Ship Trojanized jQuery in OphimCMS Supply Chain Attack Top 10 Essential E-Signature Solutions for Cybersecurity in 2026 January 31, 2026 Top 10 Best Data Removal Services In 2026 January 29, 2026 Best VPN Services of 2026: Fast, Secure & Affordable January 26, 2026 Top 10 Best Data Security Companies in 2026 January 23, 2026 Top 15 Best Ethical Hacking Tools – 2026 January 15, 2026