A critical security vulnerability in the UK’s Companies House system has exposed the personal data of directors at over 5 million registered businesses. The breach, which came to light last Friday, allowed unauthorized access to sensitive information, including dates of birth and residential addresses.
The Nature of the Flaw
The flaw resided within Companies House’s WebFiling system, the platform used for official company registrations and updates. A simple exploit—navigating back four times through the system while logged in—allowed users to view and even alter details of other companies, including director contact information.
John Hewitt, a researcher at Ghost Mail, first identified the vulnerability and reported it to Companies House. The issue was traced back to an update implemented in October of last year.
Impact and Response
Companies House swiftly suspended the WebFiling service upon discovery of the flaw and restored it on Monday after implementing a fix. The agency is now urging all registered companies to verify their details, ensuring no unauthorized changes have been made.
CEO Andy King emphasized that while the vulnerability existed, there is currently no confirmed evidence of data misuse. However, an ongoing investigation is underway, with support from the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC).
Why This Matters
This incident highlights the persistent risk of data breaches within government-managed systems. The exposed information could be exploited for identity theft, phishing scams, or harassment targeting company leadership. The ease with which the flaw was triggered underscores the need for rigorous security testing and proactive updates in critical infrastructure.
“The exposure of such personal details raises significant concerns about the protection of business leaders and the integrity of the UK’s corporate registry,” commented a cybersecurity analyst familiar with the case.
Companies House has taken action to contain the breach, but the incident serves as a stark reminder that even essential systems can be vulnerable to exploitation.
