Critical Glitch Exposes Millions of Companies’ Sensitive Information
Companies House, the UK’s official registry for company incorporation and filings, suffered a serious security breach that allowed users to access and potentially alter other companies’ confidential data without permission. This alarming vulnerability emerged following a recent system update and demands urgent attention from all registered businesses.
Unauthorized Access to Directors’ Personal Details
The flaw, introduced during an October 2025 upgrade to Companies House’s WebFiling platform, enabled logged-in users to inadvertently view and edit sensitive company information—ranging from directors’ home addresses to email contacts. Shockingly, unauthorized users could navigate into dashboards of firms they did not own simply by manipulating browser commands.
John Hewitt of corporate services provider Ghost Mail discovered the breach when he accessed another company’s dashboard by pressing the back button multiple times. Upon detecting the issue on Thursday, he promptly notified Companies House and the independent think tank Tax Policy Associates.
Swift Response and Ongoing Investigation
Companies House acted quickly, suspending the WebFiling service on Friday to contain the breach. By Monday, the security vulnerability was patched. Chief Executive Andy King issued a formal apology, emphasizing the agency’s commitment to safeguarding entrusted data and supporting affected businesses.
Although there are no confirmed reports of data misuse, the investigation revealed that personal details—such as dates of birth and residential addresses—may have been exposed. Furthermore, unauthorized filings, including changes to company directors or submission of accounts, might have been made. However, passwords and identity verification documents, including passports, remained secure, and no previously filed official documents were altered.
Official Guidance for Businesses
The Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC) have been notified, with the ICO advising companies to review their information on the SME hub for guidance. Registered businesses will receive detailed emails outlining how to verify their company records and steps to take if they suspect unauthorized changes.
Companies are urged to remain vigilant, promptly report any suspicious activity, and provide evidence to aid investigations.
Broader Cybersecurity Landscape
This incident adds to a growing list of recent cybersecurity challenges affecting UK institutions, including:
- Banking apps like Lloyds, Bank of Scotland, and Halifax exposing customers’ transaction data to others.
- The 2024 Transport for London (TfL) hack, impacting approximately 10 million users.
- A Microsoft Copilot error that inadvertently exposed confidential emails to AI processing tools.
As digital threats escalate, UK companies must prioritize data security and continuously monitor their online accounts to protect sensitive information.
