A security flaw affecting the United Kingdom’s official business registry, Companies House, forced the government agency to take its services offline.
Companies House is responsible for registering, dissolving, and deregistering limited companies across the United Kingdom.
The security flaw, which existed for months, was discovered on March 12 by a corporate services provider who was able to view the details of another company.
Security flaw at Companies House exposes business executives’ data
The security vulnerability could allow logged-in users to view company information, including dates of birth and residential addresses of key business figures.
Additionally, it could allow logged-in users with an authorization code to alter company information without consent. However, Companies House reiterated that the security vulnerability was not publicly exploitable. Similarly, it did not expose sensitive details such as passwords and government-issued identity documents, such as passports and driver’s licenses.
“This was not accessible to the general public. Only users with an authorised code and logged in to the service could have performed this action,” the agency stated.
A logged-in user could trigger the security flaw by pressing the back key four times. John Hewitt from the corporate services provider Ghost Mail discovered the vulnerability. However, the security vulnerability had existed for several months.
It stemmed from an October 2025 update to the WebFiling system, which allows business executives to submit documents. Upon discovery, the registry pulled the service offline to protect companies from unauthorized data alteration. Nevertheless, the disruption was short-lived as the registry fixed the security flaw and restored the services within days.
So far, Companies House does not believe that sensitive data was altered, illegally accessed, or misused. However, an investigation is still ongoing, and the government agency will announce its outcome upon completion.
“We believe that this issue could not have been used to extract data in large volumes or to access records systematically. Any access would have been limited to individual company records, viewed one at a time by a registered WebFiling user,” it explained.
Nevertheless, it apologized and reiterated its commitment to protecting company information. It also promised to support all affected companies to restore public trust.
“Companies House takes its responsibility to protect the data entrusted to us extremely seriously,” King said.
It also advised organizations to confirm their details and raise complaints if they discover any anomalies.
“We are asking all companies to check their registered details and filing history to make sure everything appears correct,” said Andy King, chief executive officer of Companies House.
Meanwhile, the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC) have been notified.
“The UK Companies House recently patched a critical authorization flaw in its WebFiling service that exposed the private data of over five million businesses for nearly five months,” said Noelle Murata, Sr. Security Engineer, Xcape. “The vulnerability was introduced during a system update in October 2025 and allowed authenticated users to access sensitive director information and company records via simple browser navigation.”
Hard to exploit but still poses a serious security risk
Privileged actions, such as changes in accounts or directors, that the security flaw allowed, were particularly concerning. They could enable miscreants to commit various forms of fraud, including making unauthorized filings.
Government agencies are attractive targets for cybercriminals. Luckily, this security flaw was not public, thus reducing the likelihood of exploitation. Nevertheless, insider threats present one of the most significant security risks faced by modern organizations.
In 2024, 83% of organizations faced insider threats, according to the Insider Threat Report, making the security flaw a significant problem, despite requiring authentication. Similarly, compromised credentials could enable an attacker to perform privileged actions upon gaining access by exploiting the vulnerability.
“For security professionals, this incident is a poignant reminder that even the most trusted government portals on the Internet are susceptible to fundamental logic flaws when change management fails,” added Murata. “This lapse highlights a systemic breakdown in regression testing and secure code review, as a basic Insecure Direct Object Reference (IDOR) should never survive a production deployment.”
