Companies House Logic Flaw Leaks Data of Five Million UK Directors
Learn More
Companies House, the United Kingdom's official corporate registrar, suspended its WebFiling service on March 13, 2026, after discovering a security flaw that exposed sensitive data.
The vulnerability remained live for five months, allowing unauthorized access to the private dashboards of over five million registered entities, including major FTSE 100 firms. The leak was reported by security researchers who demonstrated the ability to view private director information and initiate unauthorized record changes.
The incident is caused by a logic flaw in the WebFiling authentication sequence, effectively functioning as an authentication bypass. An attacker could log into their own account, attempt to file for a target company by entering its registration number, and then bypass the required authentication code by repeatedly using the browser's "back" function. This sequence allowed the user to land on the target company's private management dashboard with full administrative visibility. This method required no specialized tools, relying entirely on improper session state management within the web application.
The compromised data includes:
- Directors' residential addresses
- Personal email addresses
- Full dates of birth
- Internal company dashboards
- Administrative filing controls
The vulnerability potentially affected all five million companies registered in the UK. The flaw enabled the potential for fraudulent bank account openings and unauthorized corporate borrowing through company hijacking.
Companies House disabled the WebFiling service at 1:30 PM local time on March 13, 2026, to investigate and remediate the flaw. The agency conducted independent security testing before restoring the service at 9:00 AM on March 16, 2026.
Companies House advised affected businesses to verify their records for unauthorized changes and stated they would consider the outage as a valid reason for late filings. The agency has not confirmed if it can identify every specific company accessed during the five-month window.
Security experts recommend that all UK company directors immediately review their public and private filings for discrepancies.
