Ethical Hacking News
Companies House has revealed a significant security flaw that exposed sensitive business data to unauthorized users since October 2025. The agency confirmed that its WebFiling service was compromised due to an update to its systems, compromising the data of five million registered companies for approximately five months.
Companies House's WebFiling service was vulnerable to a security flaw since October 2025. The issue allowed users to access another company's dashboard by pressing the "back" key multiple times while logged in to their own account. The vulnerability exposed sensitive business data, including management home and email addresses, of five million registered companies for approximately five months. The exploit also allowed logged-in users to change some elements of another company's details without consent. Companies House reported the incident to UK authorities and is investigating whether data was accessed or altered without permission.
Companies House, a British government agency responsible for maintaining the registry of all U.K. companies, has revealed that it was left vulnerable to a security flaw that exposed sensitive business data since October 2025. The agency confirmed that its WebFiling service, which allows users to file and manage company documents online, had been compromised due to an update to its systems.
According to Dan Neidle, the founder of the non-profit Tax Policy Associates, who first reported the vulnerability to Companies House in November 2025, the issue was discovered when he attempted to log into a rival's WebFiling account. It turned out that the flaw allowed users to access another company's dashboard by simply pressing the "back" key a few times while logged in to their own account.
"This is a serious breach of trust and highlights the need for robust security measures to protect sensitive business data," Neidle stated, adding that the vulnerability exposed the data of five million registered companies for approximately five months. These records included management's home and email addresses.
The vulnerability was not only limited to viewing company information but also allowed logged-in users to "change some elements of another company's details without their consent." However, it is worth noting that no user passwords were compromised during the exploit, nor did data used for identity verification processes like passport information come into play.
Furthermore, Companies House confirmed that the security issue could only be exploited one entry at a time and may have led to unauthorized filings such as accounts or changes of director being made on another company's record. The agency stated it had reported the incident to both the U.K. Information Commissioner's Office (ICO) and the National Cyber Security Centre (NCSC), with ongoing investigations into whether data has been accessed or altered without permission.
As Companies House noted, there were "no reports at this stage of data having been accessed or changed without permission," although their investigation was ongoing. This incident serves as a stark reminder of the importance of robust cybersecurity measures for government agencies and public institutions, highlighting both the potential risks and consequences of vulnerabilities left unchecked.
Related Information:
https://www.ethicalhackingnews.com/articles/Companies-House-Fesses-Up-to-Five-Month-Security-Flaw-that-Exposed-Business-Data-ehn.shtml
https://www.bleepingcomputer.com/news/security/uks-companies-house-confirms-security-flaw-exposed-business-data/
https://www.aol.co.uk/news/millions-uk-businesses-exposed-companies-154950836.html
Published: Mon Mar 16 14:10:38 2026 by llama3.2 3B Q4_K_M
