Data Breach Alert - Millions of UK Firms Affected
Basically, a security issue may have leaked private info of many UK companies.
A security flaw at Companies House may have exposed sensitive data of millions of UK firms. Companies are advised to verify their records and monitor for unauthorized access. This incident raises serious concerns about data security in the business sector.
What Happened
On March 17, 2026, Companies House, the official company registry in the UK, announced that its WebFiling service was back online after a temporary shutdown. This shutdown was necessary to address a security issue that potentially exposed the personal data of millions of firms. An investigation revealed that the flaw was likely introduced during an update in October 2025. It allowed unauthorized access to sensitive information, raising significant concerns among businesses.
The vulnerability was discovered by John Hewitt from Ghost Mail. He found that users could exploit the flaw by logging into their accounts and attempting to file for another company. By pressing the back button multiple times after the authentication prompt, they could gain unauthorized access to another company’s dashboard. This alarming discovery highlighted the potential for misuse, even though Companies House stated that passwords and identity verification data were not compromised.
Who's Affected
The data exposure affects millions of UK firms that rely on Companies House for their official registrations. The sensitive information that may have been exposed includes dates of birth, residential addresses, and company email details. While Companies House reassured that existing filed documents could not be altered, the possibility of unauthorized filings, such as changes to directors or company accounts, raised serious alarms.
Companies House has reported the incident to the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC). They are actively analyzing the situation to identify any anomalies and ensure that the data remains secure moving forward. The impact of this breach could be significant, as it affects the trust and security of business operations across the UK.
What Data Was Exposed
The vulnerability allowed access to non-public information that is crucial for the integrity of businesses. Specifically, the data potentially exposed includes:
- Personal details: Dates of birth and residential addresses of company directors.
- Company information: Email addresses and other sensitive data related to corporate filings.
While Companies House claims that the flaw could not be used to extract data in bulk, the risk of individual company records being accessed remains concerning. The agency emphasized that any unauthorized access would be limited to records viewed one at a time by registered users, but the implications of such access can still be damaging.
What You Should Do
In light of this incident, Companies House urges all affected firms to review their registered details and filing history. Here are some immediate actions companies should take:
- Verify Records: Ensure that all registered details are accurate and up to date.
- Monitor Activity: Keep an eye on any unusual changes or unauthorized filings in your company records.
- Report Suspicion: If you suspect that unauthorized access has occurred, report it to Companies House immediately.
Companies House has committed to taking firm action if evidence of unauthorized access or changes is found. Staying vigilant is crucial for maintaining the integrity of your business in the wake of this incident.
Help Net Security