UK’s Companies House WebFiling Flaw Exposed Private Director Data for Five Months

The UK government's official business register, Companies House, has found a serious security hole in its WebFiling service This article explores agency took webfiling. . The vulnerability put sensitive director data at risk and may have let people make changes to company records without permission for about five months.

On March 16, 2026, Andy King, the Chief Executive of Companies House, made a public statement confirming the event. The agency took the WebFiling system offline on Friday, March 13, after learning about the problem. After being tested and patched by an outside party, the service was back online the next Monday. Companies House WebFiling Problem The security problem worked like an Insecure Direct Object Reference (IDOR) bug.

If a logged-in WebFiling user did a certain set of actions, they could get into and change parts of another company's profile without permission. The general public could not use this exploit. To take advantage of the flaw, an attacker had to be logged into the WebFiling service with a valid authentication code.

Companies House also said that the vulnerability couldn't be automated to get a lot of data in a systematic way. Threat actors could only look at or change one record at a time. The agency's own investigation found that the security hole was accidentally added during an update to the WebFiling system in October 2025. This means that the vulnerability was active for five months before it was found and fixed.

The flaw put private information that is usually hidden from the Companies House register at risk. The data that was made public included: Birthdays of the directors of the company Addresses of private homes Email addresses for registered businesses The flaw may have let unauthorized users file fake documents in addition to exposing data. This means that a hacker could have changed the details of a director or made fake accounts for another business.

Companies House made it clear that some very private information was still completely safe. Passwords were safe, and no one was able to get to identity verification documents like passport information. This security hole also made it impossible to change official documents that had already been filed.

Responding to and fixing incidents Companies House told the Information Commissioner's Office (ICO) and the National Cyber Security Center (NCSC) right away when they found out about the breach. The agency is now looking through its internal data logs to find any unauthorized access or changes that were made during the five-month exposure window. Companies House has not yet received any confirmed reports of malicious exploitation, but they have said they will take strong action against anyone who is found to be abusing the system.

Companies House is sending emails to all registered businesses to explain what happened and list the security checks that need to be done. The UK government says that businesses should log into their accounts right away to check for any unauthorized changes to their registered information and filing history.

Companies House should be notified of any suspicious activity or incorrect data that a business sees. They should also provide proof of the changes that were made without permission. The agency has promised to put up a detailed FAQ page soon to answer more questions from business owners and cybersecurity experts., LinkedIn, and X for daily updates on cybersecurity.

Get in touch with us to have your stories featured.