UK's corporate registry fixes data exposing technical error • The Register

The UK's corporate registry, Companies House, suffered a significant security lapse that exposed sensitive company director information through a technical flaw in its WebFiling service. The government agency was forced to take its entire filing platform offline for the weekend to address the issue, which allowed logged-in users to access and potentially modify confidential data belonging to other companies.

The vulnerability, which stemmed from a change made to the WebFiling platform in October 2025, was first brought to public attention on March 13 by tax professional Dan Neidle. Neidle, founder of Tax Policy Associates, published a video on social media demonstrating how the flaw could be exploited to access other companies' data. He was alerted to the issue by John Hewitt, director of operations at Ghost Mail, and immediately informed Companies House.

The security flaw worked through a simple but effective bypass of the platform's authentication system. A logged-in company director could attempt to access another company's account, reach the two-factor authentication (2FA) block, and then use their browser's back button to return to what should have been their own dashboard. Instead of being redirected to their own account, the bug returned them to the company they had tried to access but couldn't authenticate into.

This browser back button blunder allowed unauthorized users to view sensitive information including dates of birth, residential addresses, and company email addresses. In theory, it may have been possible for unauthorized filings—such as accounts or changes of director—to have been made on another company's record. However, Companies House CEO Andy King emphasized that passwords were not accessible, nor were identity verification documents like passports. Additionally, no existing filed documents such as accounts or confirmation statements could have been altered.

King stated that the agency believes the issue could not have been used to extract data in large volumes or to access records systematically. Any access would have been limited to individual company records, viewed one at a time by a registered WebFiling user. This limitation suggests the flaw, while serious, was not as catastrophic as it might have been had it allowed bulk data extraction.

The incident raises significant questions about the security practices at Companies House, particularly regarding how a change made in October 2025 went undetected for months before being reported. The agency has reported the incident to both the Information Commissioner's Office and the National Cyber Security Centre, and continues to investigate whether the flaw was actually abused since its introduction.

Companies House took the decision to shut down its WebFiling service on March 13 at 13:30 UTC and kept it offline throughout the weekend to ensure the vulnerability could be properly addressed. The service was restored by 09:00 on March 16, with technical teams working to resolve the flaw.

This security lapse highlights the ongoing challenges faced by government agencies and organizations managing sensitive data. The fact that a simple browser navigation feature could be exploited to bypass security measures demonstrates how even seemingly minor technical oversights can have serious consequences for data protection.

The incident also underscores the importance of responsible disclosure, as Neidle's prompt reporting allowed Companies House to take swift action. The agency has promised to take firm action if evidence emerges that anyone used the flaw to access or change another company's details without authorization.

For the thousands of businesses and individuals who rely on Companies House services, this incident represents a breach of trust that the agency will need to work hard to rebuild. The exposure of personal data, even if limited in scope, can have serious implications for privacy and security, particularly given that company directors' residential addresses and dates of birth are often used for identity verification purposes.

As digital services become increasingly central to business operations and government functions, incidents like this serve as a reminder of the critical importance of robust security testing and monitoring. The fact that a change made six months prior could introduce such a significant vulnerability suggests that Companies House may need to review its development and testing processes to prevent similar issues in the future.

The resolution of this incident, while necessary, also highlights the operational impact of security vulnerabilities. Taking an entire filing platform offline for a weekend represents a significant disruption to business operations, potentially affecting companies' ability to meet filing deadlines and conduct necessary administrative tasks.

Moving forward, Companies House will need to demonstrate not only that the immediate vulnerability has been fixed but also that it has implemented measures to prevent similar issues from arising. This may include enhanced security testing procedures, more rigorous code review processes, and improved monitoring to detect unusual access patterns that might indicate exploitation of vulnerabilities.

For users of the WebFiling service, the incident serves as a reminder of the importance of monitoring their company records for any unauthorized changes. While Companies House has stated that no existing documents could have been altered, the potential for unauthorized filings means that directors should remain vigilant about their company's official records.

The broader implications of this security lapse extend beyond just Companies House. It demonstrates how even government agencies responsible for critical infrastructure can be vulnerable to technical errors that expose sensitive data. As organizations across all sectors continue to digitize their services, ensuring the security of these platforms must remain a top priority.

This incident also raises questions about the balance between accessibility and security in digital government services. While platforms like WebFiling are designed to make it easier for businesses to interact with government agencies, they must also maintain the highest standards of data protection to maintain public trust.

As the investigation continues, the business community will be watching closely to see what measures Companies House implements to prevent similar incidents and how it addresses the potential consequences for those whose data may have been exposed. The agency's response to this incident will likely serve as a case study for other organizations managing sensitive data in the digital age.