What happened
The UK government’s corporate registry Companies House confirmed a security flaw in its WebFiling system that exposed sensitive business and director data after a system update introduced a vulnerability that allowed users to access other companies’ private dashboards. The issue, which existed for several months after an October 2025 update, could be triggered by initiating a filing for another company and using a browser’s back button to bypass authentication, exposing information such as directors’ home addresses and email details. The flaw potentially affected data linked to millions of registered companies, with reports indicating exposure lasting up to five months. Companies House said the issue has been fixed and reported to regulators, including the UK’s data protection and cybersecurity authorities.
Who is affected
Businesses and company directors registered with Companies House, including those associated with millions of UK-registered entities, are affected, as their personal and corporate information may have been exposed through the vulnerable WebFiling system.
Why CISOs should care
The incident highlights risks in government-operated business registries, where authentication bypass flaws can expose sensitive corporate and identity data and potentially enable unauthorized changes to official records.
3 practical actions
- Review company records for unauthorized changes. Organizations should verify filings and director information stored in Companies House systems.
- Audit access controls in filing systems. Ensure authentication mechanisms cannot be bypassed through session handling flaws.
- Monitor for identity and corporate fraud risks. Exposure of director data may increase risk of impersonation or fraudulent filings.
For more coverage of major security vulnerabilities affecting organizations and infrastructure, explore our reporting on Vulnerabilities.