UK Companies House confirmed in March 2026 that a critical vulnerability in its WebFiling system exposed personal data for directors across all 5 million registered UK companies for approximately five months. The flaw, introduced by an October 2025 system update and discovered by security researcher John Hewitt on March 12, 2026, required no specialized tools; just a registered account and four clicks of a browser's back button. Companies House CEO Andy King confirmed the breach and immediate remediation. The WebFiling system was taken offline on discovery and restored on March 16 after patching. This is not a sophisticated nation-state intrusion. It is an authentication bypass so simple it is almost instructive.

What Happened

In October 2025, a routine system update to Companies House's WebFiling platform introduced a broken access control vulnerability. The flaw sat undetected for five months (from October 2025 through March 12, 2026) affecting the entirety of the UK business registry during that window.

Security researcher John Hewitt of Ghost Mail discovered the vulnerability and disclosed it responsibly to Companies House. The organization acted quickly: the WebFiling system was shut down on notification and restored with patches on March 16, 2026. CEO Andy King publicly confirmed both the incident and the remediation timeline.

The scope is as broad as the UK business registry itself. Every registered company, all five million, was potentially accessible to anyone who held a valid WebFiling account and knew the technique. Companies House has approximately 5 million registered entities, meaning the residential addresses, birthdates, and email addresses of a significant fraction of UK business leadership was exploitable for five months.

Whether the vulnerability was actively exploited at scale before discovery is not confirmed. The simplicity of the technique, and the five-month exposure window, makes opportunistic exploitation plausible. Companies House has not published a statement quantifying unauthorized access events during the exposure period.

What Was Taken

The vulnerability exposed the following data for directors across all registered UK companies:

• Residential home addresses: Companies House holds directors' personal addresses, not just registered business addresses
• Dates of birth: full birthdates submitted as part of director registration
• Email addresses: personal contact details used for filing correspondence
• Company filing documents: attackers could not only read but also submit fraudulent filings and modify company details without the legitimate director's knowledge or consent

The read/write nature of the exploit is critical. This was not a passive data exposure. An attacker could access a target company's dashboard and file documents on its behalf (changing registered office addresses, submitting false confirmation statements, or altering director records) without triggering authentication challenges. The fraud and corporate impersonation surface is significant.

Why It Matters

Companies House is the foundational layer of UK corporate identity. Every company registered in England, Wales, Scotland, and Northern Ireland is in this registry. Directors' personal details are the linchpin of identity verification for business banking, credit applications, regulatory filings, and due diligence processes across the UK economy.

The combination of residential address, full birthdate, and email address for a named company director is a complete social engineering kit. It is sufficient to impersonate a director to a bank, pass knowledge-based authentication checks, and initiate fraudulent account changes or fund transfers. The five-month window is long enough for systematic harvesting by any adversary who found the bug before Hewitt did.

The write capability compounds this significantly. Fraudulent filings on Companies House are already a documented attack vector; criminal enterprises have exploited the registry's filing system to launder money, commit identity fraud, and take over dormant companies. A point-and-click authentication bypass that grants filing access to any company's record is a force multiplier for that existing fraud ecosystem.

For UK businesses specifically: the exposure was not contingent on any action by the affected company. No phishing link clicked, no credential reused. Your data was accessible to anyone with a WebFiling account by virtue of being registered.

The Attack Technique

Broken access control via browser back button navigation. The exploit required:

1. Log into WebFiling with any legitimate account credentials
2. Navigate to your own company dashboard
3. Select "file for another company"
4. Enter any target company registration number
5. When prompted for an authentication code, press the browser back button four times
6. Full access to the target company's dashboard; personal director data readable, filings submittable

This is a classic Insecure Direct Object Reference (IDOR) failure compounded by a broken session state management bug. The authentication code prompt was a control that could be bypassed entirely by traversing browser history, indicating the server was not enforcing authorization checks server-side; it was relying on client-side navigation state. That is a fundamental web application security failure.

The vulnerability was introduced by a code change in October 2025, suggesting a regression; a previously secure flow was broken by a system update without adequate regression testing or post-deployment security review.

What Organizations Should Do

This incident is a UK government failure, but it surfaces lessons applicable to any organization operating web-based filing or account management systems; and specific actions for UK businesses whose directors are now at elevated fraud risk:

1. UK directors: assume your personal data is in circulation. Residential address, birthdate, and email were exposed for up to five months. Place fraud alerts with your bank, monitor for unauthorized Companies House filings against your registered entities at find-and-update.company-information.service.gov.uk, and be alert to unusually detailed impersonation attempts.

2. For developers and system owners: enforce authorization server-side, always. Client-side state (browser history, session tokens, URL parameters) must never be the sole enforcement point for access control. Every sensitive action must validate the authenticated user's authorization against the resource being accessed on the server, on every request, regardless of how the user navigated there.

3. Implement regression testing for authentication and access control paths after every system update. This vulnerability was introduced by a code deployment and sat undetected for five months. Automated security regression tests covering IDOR and broken access control patterns should be part of every CI/CD pipeline touching user-facing systems.

4. Conduct post-deployment security reviews for any update touching authentication or session management. The October 2025 change that introduced this flaw should have triggered a focused security review. Changes to filing workflows, authentication flows, and account switching functions are high-risk surface area requiring explicit security sign-off.

5. Monitor for anomalous filing activity. Companies House and any similar registry operator should have automated anomaly detection on filing patterns; sudden spikes in cross-company access from single accounts, off-hours filings, or bulk document submissions from accounts without prior activity are all detectable signals of exploitation.

6. UK businesses: set up filing notification alerts. Companies House offers email alerts for filings made against your company. If you are not subscribed, do so immediately. Unauthorized filings are the direct fraud vector this vulnerability enabled, and early detection is the primary mitigation now that patching is complete.

Sources

• Ctrl Alt Nod; UK Companies House Data Breach Exposes 5 Million Business Records