Major Security Vulnerability at Companies House Exposes Private Data of Millions
A significant security flaw within the UK's official corporate register, Companies House, has led to the exposure of sensitive private information belonging to directors at millions of British businesses. The vulnerability, which was first identified last Friday, forced the immediate shutdown of the online filing service as a precautionary measure. Companies House has confirmed that the issue has now been resolved, with services fully restored by Monday morning.
Nature of the Security Breach and Exposed Information
The reported bug was located within the Companies House WebFiling system. It permitted users to access specific confidential data from the register's approximately 5 million incorporated companies. This included highly personal details such as the residential addresses and dates of birth of a company's key personnel and directors. Furthermore, the flaw enabled logged-in WebFiling users to alter certain elements of another company's registered details without authorisation, including director email addresses and physical addresses.
The vulnerability was discovered by John Hewitt, a security researcher from the corporate services provider Ghost Mail. Exploitation was alarmingly straightforward; it could be triggered simply by pressing the browser's back key four consecutive times while viewing a company's profile on the WebFiling platform. An internal probe by Companies House suggests the security weakness originated following a system update implemented in October of the previous year.
Official Response and Ongoing Investigations
Andy King, the Chief Executive Officer of Companies House, addressed the incident publicly. "We are asking all companies to check their registered details and filing history to make sure everything appears correct," he stated. "We have taken swift action to secure and restore our service, and are committed to doing everything in our power to support those affected and to make sure that our services continue to merit the trust placed in them." King emphasised that, as of now, there is no evidence to suggest any data was actually accessed or modified without permission, though the internal investigation remains active.
The incident has also attracted the attention of key regulatory and security bodies. Both the Information Commissioner's Office (ICO) and the National Cyber Security Centre (NCSC) have initiated reviews of the breach. An ICO spokesperson has directed business owners to consult guidance available on its dedicated SME advice hub. Companies House has further encouraged any business that believes it may have been impacted by the flaw to formally lodge a complaint through its channels.
The scale of the breach is considerable, given that the Companies House register includes some of the UK's largest and most prominent corporations, such as pharmaceutical giant AstraZeneca, energy major Shell, and retail leader Tesco. This event underscores persistent cybersecurity challenges facing national institutions that manage vast quantities of sensitive commercial and personal data.
