UK's Companies House apologises for access and data breach

The chief executive of the United Kingdom's Companies House business register has issued an apology after a website vulnerability provided unauthorised access to arbitrary companies' information, and allowed for the modification of the data.

"I recognise that this incident will have caused concern and inconvenience to many of the companies and individuals who rely on our services. I am sorry for that," Andy King, the chief executive of Companies House said.

UK taxation analyst Dan Neidle first reported on the flaw, following a tip-off from a reader.

The flaw provided access to the private information management of unrelated companies to anyone with authorised logins to the Companies House WebFiling service, leaking data such as dates of birth, residential addresses and email details.

Furthermore, it was also possible to alter records for companies such as accounts and changes of directors, King said.

Exploiting the vulnerability was very easy: after logging into their accounts with legitimate access credentials for their own companies, all that was required to view and alter the data of other businesses was their Companies House registration number.

The Webfiling system would then request an authentication code, Neidle wrote.

This authentication code request could be bypassed by pressing the back button a few times, which would then provide access to the company that a potential attacker had provided the registration number for.

Such lack of access controls suggest the bug belongs to a common class of vulnerabilities, referred to as insecure direct object references (IDOR) by security researchers.

Companies House shut down the WebFiling system following media reports, on March 13.

However, King said the bug was introduced in October 2025 when the WebFiling system was updated. 

Some 5 million companies are registered with the UK Companies House.

King added that the incident has been reported to Britain's Information Commissioner's Office (ICO) and the National Cyber Security Centre (NCSC).

Companies House is also analysing its data to look for anomalies, and is asking registrants to check their details and filing history to ensure everything appears correct.