Between October 2025 and March 2026, a critical security vulnerability in the UK’s Companies House WebFiling service exposed the personal and business information of up to 5 million registered UK companies. The flaw, discovered on March 12, 2026 by John Hewitt at Ghost Mail, allowed anyone with valid login credentials to access other companies’ private dashboards—including directors’ home addresses, dates of birth, residential email addresses, and sensitive company contact details—by simply entering a different company registration number and repeatedly pressing the back button. The exposure lasted approximately five months before Companies House shut down the service on March 13, 2026, and restored it on March 16 after independent security testing.
This article examines how the vulnerability emerged, what data was exposed, how attackers could have exploited it, and what the incident reveals about government cybersecurity practices. The vulnerability represents one of the largest corporate data exposure incidents in UK history. Unlike many breaches that rely on sophisticated hacking techniques, this flaw exploited a basic navigation vulnerability that required only standard login credentials and elementary browser navigation—a critical reminder that catastrophic security failures often stem not from advanced attack vectors, but from overlooked fundamental safeguards.
Table of Contents
- How Did the UK Companies House Security Vulnerability Work?
- What Data Was Exposed and How Widespread Was the Breach?
- What Could Attackers Actually Do With Access to Company Dashboards?
- How Did Companies House Respond and What Was the Timeline?
- What Are the Regulatory and Compliance Implications for Affected Businesses?
- What Systemic Security Issues Does This Incident Reveal?
- What Recovery Measures and Future Prevention Should Be Implemented?
- Conclusion
How Did the UK Companies House Security Vulnerability Work?
The vulnerability existed in the Companies House WebFiling service, a system used by millions of UK business directors and company secretaries to file documents, update company information, and manage corporate records with the government agency. The flaw was introduced in October 2025 and went undetected for five months before its discovery. The technical mechanism was deceptively simple: after logging in with valid credentials, a user could navigate to another company’s dashboard by entering a different company registration number. The vulnerability then allowed them to access that company’s non-public information by using the browser’s back button to bypass proper access controls—a navigation exploit that bypassed session validation checks.
What made this vulnerability particularly dangerous was that it required no specialized hacking knowledge. An attacker with even basic technical skills could systematically enumerate company numbers (which are sequential and publicly known) and access any company’s private information. The back-button exploit suggests that the WebFiling system failed to validate whether the logged-in user had authorization to view a specific company’s data at each step of navigation—a fundamental security principle known as “access control verification on every request.” The vulnerability was discovered by John Hewitt, a security researcher at Ghost Mail, on March 12, 2026. When Companies House did not respond immediately to his disclosure, Hewitt reported the issue to Dan Neidle at Tax Policy Associates, who contacted government officials. This escalation prompted Companies House to shut down the WebFiling service at 1:30 PM on March 13, 2026, preventing further exploitation.
What Data Was Exposed and How Widespread Was the Breach?
The vulnerability exposed sensitive non-public information on millions of UK businesses. Specifically, attackers could access directors’ dates of birth, home residential addresses, personal email addresses, and company contact details. This information is protected as non-public precisely because it creates security and privacy risks—directors’ home addresses and birthdates can be used for identity theft, targeted social engineering, physical security threats, and financial fraud. The exposure affected up to 5 million registered UK companies, representing nearly every active business entity in the country. However, it’s important to note that Companies House had no confirmed reports of unauthorized data access or unauthorized changes to company records as of the official announcement.
This does not mean no exploitation occurred—rather, it suggests that either the vulnerability was not widely exploited before discovery, or that unauthorized access occurred but has not yet been detected during the investigation. The absence of confirmed reports is not equivalent to the absence of unauthorized access. Companies House stated that investigation into potential unauthorized filings and data changes remained ongoing. The breadth of the exposure distinguishes this incident from more contained breaches. Unlike incidents affecting specific customer segments or certain transaction types, this vulnerability exposed sensitive personal and business data across the entire UK corporate registry. For directors and company officers, this means their home addresses, birthdates, and contact information were potentially accessible to any individual with basic technical knowledge who could obtain or guess valid login credentials.
What Could Attackers Actually Do With Access to Company Dashboards?
The vulnerability granted attackers more than passive read-only access to sensitive information—it potentially allowed them to modify company records and submit unauthorized filings. Attackers could change company details without authorization from legitimate company officers, a capability that opens the door to a sophisticated attack known as “company hijacking.” In such an attack, a criminal could modify the registered address, change director contact information, or alter ownership records, effectively gaining control of the company’s official registration. Beyond data theft and record modification, the ability to submit unauthorized filings represents a particularly insidious risk. Attackers could file fraudulent tax documents, transfer company ownership, close shell companies used for money laundering investigations, or perform other regulatory actions that carry legal consequences for the legitimate company.
These actions create liability and damage not just for the company, but for its directors and shareholders who may be held responsible for filings they never authorized. For example, a director of a small consulting firm could find that fraudulent filings were submitted in their company’s name without their knowledge, creating complex and expensive legal remediation. The combination of read and write access transforms what might seem like a data privacy issue into an operational security and regulatory compliance crisis. Affected companies would need to verify the integrity of all filings and company records during the exposure period, determine whether unauthorized changes occurred, and potentially pursue legal remedies for any fraudulent actions taken through their compromised registrations.
How Did Companies House Respond and What Was the Timeline?
Upon discovery, the incident response was relatively rapid. John Hewitt reported the vulnerability on March 12, 2026. When initial disclosure channels with Companies House appeared insufficient, the issue was escalated through Tax Policy Associates to government officials on March 13, 2026. Companies House immediately shut down the WebFiling service at 1:30 PM that same day—a decisive action that prevented further exploitation but also disrupted normal business operations for millions of companies that depend on the service for urgent filings and regulatory compliance. The service remained offline for approximately 72 hours while Companies House worked with security teams to patch the vulnerability and implement protective measures.
The WebFiling system was restored on March 16, 2026 at 9:00 AM, but only after independent security testing confirmed the vulnerability had been remediated. Companies House reported the incident to the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC), the government’s cybersecurity authority, ensuring that the breach was documented and investigated by the appropriate regulatory bodies. However, the timeline reveals a concerning reality about vulnerability disclosure practices. The fact that the flaw was not caught during normal security testing and remained undetected for five months suggests significant gaps in the security assurance processes protecting critical government infrastructure. The need to escalate through external parties (Tax Policy Associates) to get government attention raises questions about whether Companies House had adequate vulnerability reporting mechanisms in place.
What Are the Regulatory and Compliance Implications for Affected Businesses?
Companies affected by this vulnerability face complex regulatory obligations. Under UK GDPR and data protection law, any company that had personal data exposed through the vulnerability—including directors’ personal information—is technically subject to breach notification requirements. Companies House should notify affected organizations and individuals; however, the scale of the exposure (5 million companies) and the fact that the flaw allowed access rather than confirmed unauthorized access creates gray areas in how companies should respond. Some firms may need to notify their employees and stakeholders out of abundance of caution, even while Companies House investigates. Additionally, businesses must grapple with the question of data integrity.
If unauthorized changes were made to company records—whether to director information, registered addresses, or filed documents—companies need to verify the integrity of their registrations with Companies House and potentially pursue correction or investigation. This represents a significant operational and compliance burden that many smaller companies may not have anticipated or budgeted for. Larger enterprises typically have dedicated compliance teams; smaller companies and sole traders managing their own registrations may struggle with the process of verifying and correcting records. The regulatory response from the ICO and NCSC will likely drive future requirements for government digital services. If investigations reveal systemic failures in security practices—such as inadequate access controls, insufficient security testing, or poor vulnerability disclosure procedures—those findings may trigger requirements for government agencies to improve security baselines across all digital services.
What Systemic Security Issues Does This Incident Reveal?
The Companies House vulnerability exposes a troubling pattern in government digital security practices. The vulnerability relied on a basic navigation exploit—not advanced cryptographic breaks or zero-day technical flaws, but a fundamental failure to validate access permissions on every user action. This suggests that WebFiling may not have been subject to rigorous application security testing frameworks like OWASP Top 10 assessments, which would identify exactly this class of vulnerability. The fact that it went undetected for five months despite serving millions of users indicates insufficient security monitoring and testing.
Government digital services often face resource constraints, legacy infrastructure challenges, and pressure to prioritize feature delivery over security hardening. Companies House WebFiling is decades old and has undergone numerous modifications. This environment is particularly conducive to security debt—where patches and changes accumulate without comprehensive security reassessment. The vulnerability likely existed because no one performed a thorough access control audit when features were last modified or infrastructure was updated. The incident demonstrates that even critical, high-profile government systems serving essential business functions remain vulnerable to relatively basic security oversights.
What Recovery Measures and Future Prevention Should Be Implemented?
Looking forward, Companies House must implement comprehensive remediation beyond simply patching the immediate vulnerability. This should include a full security audit of the WebFiling system by independent third-party security researchers, not just internal teams. A comprehensive audit would examine access control implementation across all features, session management, data exposure risks, and authentication mechanisms. Additionally, Companies House should implement robust security monitoring and alerting to detect suspicious access patterns—such as single users accessing thousands of different company records in short timeframes.
The incident also highlights the importance of government agencies establishing clear vulnerability disclosure policies and triage procedures. Security researchers should have multiple channels to report vulnerabilities, and there should be defined timelines for response and remediation. The fact that Hewitt needed to escalate through external parties suggests Companies House lacked a functioning security reporting mechanism. Going forward, government digital services should adopt responsible disclosure frameworks that reward researchers who report vulnerabilities rather than punishing them with slow responses that might prompt public disclosure.
Conclusion
The UK Companies House security vulnerability represents a watershed moment for government digital security awareness. The exposure of sensitive data on up to 5 million businesses for five months, combined with the capability for unauthorized data modification and fraudulent filings, demonstrates the scale of risk when even fundamental security controls—like access permission validation—are overlooked. The incident was not caused by sophisticated zero-day exploits or advanced persistent threats, but by basic flaws in application security that should have been caught by routine testing.
Affected businesses should immediately verify their company registration details with Companies House, monitor their records for unauthorized changes, and assess whether employee personal data exposed through the vulnerability requires breach notification to staff. Government agencies must treat this incident as a catalyst for systemic security improvement, including independent security audits of all critical digital services, establishment of clear vulnerability disclosure processes, and regular security testing using modern threat modeling and penetration testing frameworks. Cybersecurity is not merely a technical concern for isolated incidents—it is a foundational governance requirement for systems that support the entire business ecosystem.