Vulnerability - UK Companies House Exposed Millions of Firms
Basically, a flaw let users see and change company details easily.
A critical vulnerability at Companies House exposed sensitive data of millions of firms. This flaw allowed unauthorized access to company records, raising significant data protection concerns. Companies are urged to verify their details and report any issues.
The Flaw
A serious vulnerability was discovered in the web application of Companies House, the UK agency responsible for maintaining the public register of companies. This flaw, identified by John Hewitt from Ghost Mail, allowed any logged-in user to access other companies' accounts. The vulnerability existed for several months before it was patched on March 12, 2026. It was introduced in October 2025 and affected the WebFiling service, which is used by companies to manage their records online.
The exploit was alarmingly simple. An authenticated user could select the 'file for another company' option, input the unique number of the targeted company, and bypass security by pressing the back button multiple times. This would grant them access to the targeted company's account without needing advanced technical skills. Such ease of exploitation raises significant concerns about the security protocols in place at Companies House.
What's at Risk
The potential impact of this vulnerability is vast, affecting the non-public information of approximately five million registered firms. Sensitive details such as directors' dates of birth, home addresses, and email addresses were at risk. Furthermore, attackers could have altered company details and submitted unauthorized filings, posing a severe threat to the integrity of company records.
Despite the serious nature of the vulnerability, Companies House stated that it was not accessible to the general public. Only users with an authorized code could exploit the flaw. However, the ease with which an attacker could gain access is troubling. The agency has reassured the public that passwords and identity verification information were not compromised, but the risk of unauthorized changes to company records remains a concern.
Patch Status
After the vulnerability was identified, Companies House quickly took action. The service was shut down on March 10, 2026, to address the issue, and a patch was rolled out shortly after. The agency confirmed that it is not aware of any instances where data was accessed or altered through this vulnerability. However, they have advised companies to verify their details and filing history to ensure no unauthorized changes have occurred.
This incident underscores the importance of robust security measures, especially for agencies handling sensitive data. The rapid response from Companies House reflects a commitment to protecting the integrity of the public register, but it also highlights the need for ongoing vigilance against potential exploits.
Immediate Actions
For businesses registered with Companies House, it is crucial to take immediate steps to safeguard their information. Companies should:
- Verify their details: Check the accuracy of all company records and filings.
- Monitor for unauthorized changes: Regularly review filing history for any suspicious activity.
- Report concerns: If any discrepancies are found, report them to Companies House immediately.
This incident serves as a reminder of the vulnerabilities that can exist even within established systems. Companies must remain proactive in protecting their data and ensuring compliance with best practices in cybersecurity.
SecurityWeek