Companies House admits logged-in users could access rivals’ data without permission
The UK’s Companies House has admitted that a security vulnerability in its WebFiling service allowed logged-in users to potentially access and even alter sensitive details of rival companies without permission.
This includes exposing personal data such as directors’ home addresses, dates of birth, and email addresses.
In an official statement on Monday (16 March), Companies House Chief Executive Andy King stated that the issue meant “a logged-in user of our WebFiling service could potentially access and change some elements of another company’s details without their consent after performing a specific set of actions.”
The flaw, which stemmed from system updates made in October 2025, was not available to the general public but could be exploited by anyone with a valid WebFiling login, meaning competitors, malicious actors who created shell accounts, or even curious insiders might have viewed or modified private company information not normally visible on the public register.
Companies House took the service offline at 1:30 p.m. on 13 March, after being alerted to the problem. The agency proactively notified the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC), conducted an investigation, and restored the service at 9 a.m. on 16 March following independent testing.
While no evidence of widespread unauthorised access or changes has been found so far, the potential risks are significant. Exposed data included non-public details like residential addresses and full dates of birth for directors, as well as company email addresses.
In some cases, unauthorised filings – such as submitting false accounts or changing director details – could have been made on another company’s record.
The vulnerability did not compromise passwords, identity verification documents (such as passports), or already-filed public documents.
The bug was reportedly straightforward to exploit. Users could start from their own dashboard, attempt to access another company using its registration number, and bypass authentication prompts to reach a rival’s private view or editing interface.
Tax expert Dan Neidle of Tax Policy Associates first flagged the issue on 13 March after it was brought to his attention, describing it as an “absolutely insane vulnerability” due to its simplicity.
With more than five million companies registered in the UK, the incident raises fresh questions about data protection in one of the country’s key corporate transparency systems.
Companies House said that bulk data extraction was not possible as the flaw allowed access only to individual company records one at a time, but the possibility of targeted misuse remains a concern for businesses worried about fraud, identity theft, or competitive espionage.
