Vulnerabilities - UK Companies House Exposes Private Director Data
Basically, a flaw let people see private information about company directors for five months.
A major flaw in the UK’s Companies House WebFiling service exposed private director data for five months. This breach raises serious concerns for registered businesses. Companies House is urging all affected to review their records for unauthorized changes.
What Happened
The UK’s Companies House, the official register of businesses, has disclosed a significant security flaw in its WebFiling service. This vulnerability exposed sensitive information about company directors for approximately five months. On March 16, 2026, Andy King, Chief Executive of Companies House, confirmed the incident. The flaw was discovered on March 13, leading to the immediate shutdown of the WebFiling system for repairs.
The issue stemmed from an Insecure Direct Object Reference (IDOR) vulnerability. This allowed logged-in users to access and modify another company's profile without permission. Although the flaw was not available to the general public, it posed serious risks to the integrity of company records.
Who's Affected
The breach primarily affects registered businesses and their directors. Sensitive data exposed includes dates of birth, private residential addresses, and registered company email addresses. While the vulnerability did not compromise passwords or highly sensitive identity verification documents, it still raises concerns about the potential for unauthorized filings.
Companies House is currently analyzing internal data logs to identify any unauthorized access during the exposure period. Although there are no confirmed reports of malicious exploitation, the agency is taking this incident seriously and will pursue strict actions against any misuse.
What Data Was Exposed
The vulnerability allowed attackers to view or alter records one at a time. This means that while large-scale data extraction was not possible, the potential for individual record manipulation existed. The exposed data is typically hidden from the public register, making this breach particularly concerning for affected individuals.
In addition to personal information, the flaw could have enabled unauthorized users to submit fraudulent filings. This means an attacker could potentially alter director details or file fake accounts on behalf of another business, leading to severe implications for the integrity of company records.
What You Should Do
In response to the breach, Companies House has reported the incident to the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC). They are advising all registered businesses to log into their accounts immediately to review their registered details and filing history for any unauthorized changes.
If any suspicious activity is detected, businesses are encouraged to raise an official complaint with Companies House and provide evidence of the unauthorized changes. The agency is also preparing a detailed FAQ page to address concerns from business owners and cybersecurity professionals. This incident highlights the importance of regular security audits and vigilance in monitoring company records.
Cyber Security News