Millions of UK firms on alert after Companies House data exposure
Companies House, the UK’s official company registry, said its WebFiling service is back online after being shut down on Friday to fix a security issue that may have exposed the personal data of millions of firms. An investigation indicates the flaw was likely introduced during an October 2025 update.
According to Companies House, only users who were logged in and had a valid authentication code could have exploited the flaw.
However, the vulnerability raised concerns because it exposed data that is not public, including dates of birth, residential addresses, and company email details. It may also have been possible to submit unauthorized filings, such as changes to directors or company accounts.
The vulnerability was discovered by John Hewitt of Ghost Mail, a business and personal mailing address service, and later publicized by Dan Neidle of Tax Policy Associates, a research organization focused on tax and corporate transparency.
Hewitt found that the flaw allowed a user to log into their own account, attempt to file for another company and, by pressing the back button four times after the authentication prompt, gain access to that company’s dashboard without authorization.
The company said passwords were not compromised, no identity verification data such as passport information was accessed, and existing filed documents, including accounts and confirmation statements, could not have been altered.
“We believe that this issue could not have been used to extract data in large volumes or to access records systematically. Any access would have been limited to individual company records, viewed one at a time by a registered WebFiling user,” said Andy King, CEO of Companies House.
The agency reported the incident to the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC) and is carrying out ongoing analysis to identify any anomalies.
Companies are urged to review their registered details and filing history to ensure their records are accurate.
“If we find evidence that anyone has used this issue to access or change another company’s details without authorization, we will take firm action,” King concluded.