Related Articles
Business owners and bosses are being urged to check the details registered at Companies House after a vulnerability on its WebFiling system was exposed last week.
Companies House was alerted to the issue on Friday (13 March) by Dan Neidle, founder of Tax Policy Associates, who revealed how it worked after Companies House took the system offline.
Posting on X, Neidle said: “The exploit was stupidly simple. Go to your own company’s dashboard. Try to view another company (that you don’t own). Give up, and press the back key four times. And you see the other company’s dashboard.”
This revealed information such as directors’ home addresses and full dates of birth.
Companies House has issued a statement and advice for directors today (16 March).
It said: “On Friday 13 March, Companies House was made aware of a security issue which meant that a logged-in user of our WebFiling service could potentially access and change some elements of another company’s details without their consent after performing a specific set of actions.
“We closed WebFiling at 1:30pm on Friday 13 March while we investigated and resolved the issue. The service has been independently tested and is back online as of 9am on Monday 16 March.”
Companies House admitted that it might also have been possible for unauthorised filings, such as accounts or changes of director, to have been made on another company’s record.
Its investigation indicates that the issue was introduced five months ago when Companies House updated its WebFiling systems in October 2025.
It also moved to clarify things that were not affected: passwords were not compromised; no data used as part of the Companies House identity verification process, such as passport information, was accessed; and no existing filed documents, such as accounts or confirmation statements could have been altered.
Companies House is asking all those with a registered company to check the details and filing history to make sure everything appears to be correct.
CEO Andy King stated: “I recognise that this incident will have caused concern and inconvenience to many of the companies and individuals who rely on our services. I am sorry for that.
“Companies House takes its responsibility to protect the data entrusted to us extremely seriously. We have taken swift action to secure and restore our service, and are committed to doing everything in our power to support those affected and to making sure that our services continue to merit the trust placed in them.”
The incident has been reported to the Information Commissioner’s Office and the National Cyber Security Centre.
King said Companies House was also actively analysing its data to identify any anomalies, and would be emailing every company’s registered email address to explain how to check their details and what steps to take if they have any concerns.
Source link
