A significant security vulnerability was identified in the web application of Companies House, the UK government agency tasked with maintaining the official register of companies. This flaw potentially exposed the sensitive information of millions of firms.
Discovery of the Vulnerability
The security issue came to light when John Hewitt from Ghost Mail discovered it on March 12. However, the vulnerability had been present for several months before it was finally patched. Hewitt’s findings revealed that logged-in users could access other companies’ accounts on the Companies House platform, risking exposure of sensitive data for five million registered companies.
Details at risk included directors’ personal information such as dates of birth, home addresses, and email addresses. Furthermore, unauthorized changes to a company’s information could have been made, including the submission of falsified filings.
Exploitability and Potential Impact
Exploiting the vulnerability required minimal technical expertise. An attacker could simply choose the ‘file for another company’ option, input the targeted company’s unique number, and use the back button to gain unauthorized access. This ease of exploitation posed a significant threat despite requiring authenticated access.
In response, Companies House confirmed the vulnerability affected the WebFiling service, stating it was introduced in October 2025. The flaw was rectified after the service was temporarily shut down over a weekend.
Company Response and Security Measures
Companies House assured that the vulnerability did not compromise passwords or identity verification data like passports. Moreover, it was not possible for attackers to alter any existing filed documents. The agency believes that data extraction would have been limited to individual company records, viewed singularly by registered users.
While no data breaches or unauthorized changes have been confirmed, Companies House advises companies to review their records and report any discrepancies. The incident underscores the importance of robust cybersecurity measures in protecting sensitive data.
For further information, the UK government has outlined a new Cyber Action Plan, emphasizing the need for enhanced security protocols across all sectors.
