UK's Companies House - Security Flaw Exposed Business Data
Basically, a security issue let people see other companies' private information.
A serious security flaw at Companies House exposed sensitive data of five million companies for five months. This raises significant concerns about data protection and privacy. Companies House is investigating the incident and has reported it to the relevant authorities.
What Happened
In a recent revelation, Companies House, the U.K. government agency responsible for the corporate registry, confirmed a significant security flaw in its WebFiling service. This vulnerability, discovered by John Hewitt and reported by Dan Neidle, allowed logged-in users to access the dashboards of other companies. The issue persisted for five months, exposing sensitive information of approximately five million registered companies.
The flaw was introduced during a system update in October 2025. Users could log in to their accounts and, by entering another company's registration number, inadvertently access that company's dashboard. This situation arose when users pressed the back button, leading them to a dashboard that did not belong to them, revealing potentially sensitive data.
Who's Affected
The exposure affects all entities registered with Companies House, which includes limited companies, partnerships, and sole traders across the U.K. The data at risk includes management's home addresses, email addresses, and other personal information. While Companies House has assured that no passwords or sensitive identity verification data were compromised, the vulnerability raises serious concerns about the integrity of the data held by government agencies.
As investigations continue, Companies House has reported the incident to the U.K. Information Commissioner's Office (ICO) and the National Cyber Security Centre (NCSC). They are currently assessing whether any unauthorized access or alterations occurred during the vulnerability period.
What Data Was Exposed
The security flaw allowed unauthorized visibility of specific data that is typically not made public. This included:
- Dates of birth of company directors
- Residential addresses
- Company email addresses
Additionally, there were concerns that unauthorized filings could have been made, such as changes to directors or financial accounts. Companies House has emphasized that while the flaw could have been exploited, they have no confirmed reports of unauthorized access or alterations at this time.
What You Should Do
If you are a business owner or stakeholder registered with Companies House, it is crucial to remain vigilant. Here are some recommended actions:
- Monitor your company’s information on the Companies House register for any unauthorized changes.
- Review your security practices, especially regarding sensitive information shared online.
- Stay informed about updates from Companies House regarding this incident and any potential impacts on your data.
As Companies House continues to investigate, they have committed to transparency and will provide updates as more information becomes available. It is essential for all registered companies to understand the implications of this vulnerability and take proactive steps to safeguard their data.
BleepingComputer