Companies House has suspended its online WebFiling service after a cyber security breach allowed users to access and potentially edit sensitive personal data of other companies registered on the UK Business Register.
The issue arose after a security flaw in the government agency’s online dashboard allowed individuals to navigate to other companies’ accounts by simply pressing the browser’s back button. The glitch could reportedly expose sensitive information, including home addresses, email addresses and dates of birth of directors – data that could potentially be exploited for fraud or identity theft.
The vulnerability was identified by Dan Neidle, founder of Tax Policy Associates, who alerted Companies House to the issue on Friday. Neidle warned that the flaw could have serious consequences if it had existed for a long period of time before it was discovered.
“This could be very serious if it’s been around for a long time,” he said, describing the vulnerability as having “an absolutely insane lack of how easy it is to find.”
Following the warning, Companies House confirmed it had shut down the WebFiling system pending an investigation. The platform is widely used by companies across the UK to submit official documents such as annual accounts, confirmations and other legally required documents.
A Companies House spokesperson said: “We are aware of an issue with our WebFiling service and have closed it while we investigate. We apologize for any inconvenience this may cause to our customers.”
The temporary suspension of the service is likely to disrupt the company’s routine filings while technical teams assess the extent of the problem and determine whether data has been unlawfully accessed.
Cybersecurity experts say vulnerabilities of this type could create opportunities for criminal activity, particularly when sensitive corporate information is involved. Personal information such as home addresses and dates of birth of directors can be used by fraudsters to impersonate company leaders, submit fraudulent documents, or attempt identity theft.
Graeme Stewart, public sector director at cybersecurity firm Check Point Software, warned that the vulnerability could put business leaders at significant risk if exploited by malicious actors.
“This is the latest in a series of public sector data disasters that threaten the privacy, security and personal safety of hundreds of thousands of business leaders,” he said.
“A mistake of this magnitude is a gift to cybercriminals who want to upload false documents, impersonate CEOs and facilitate data theft. It’s time for a complete overhaul of core systems, with security built in from the start rather than added as an afterthought.”
The incident has also raised concerns about the resilience of digital systems used by government agencies to manage critical national data. Companies House maintains records for more than five million UK companies and processes millions of filings each year.
Kenny MacAulay, chief executive of accounting software platform Acting Office, said the vulnerability highlights deeper issues surrounding digital security and system monitoring.
“Another day, another massive data failure in the public sector,” he said. “It is unimaginable that hackers could so easily gain access to seemingly the entire dashboard of tens of thousands of companies and their respective directors across the UK.
“Basic compliance requirements should be in place to prevent data leaks like this, and websites should be thoroughly checked for errors and security vulnerabilities on a regular basis.”
Under the UK Computer Misuse Act 1990, unauthorized access to computer systems or data can have serious legal consequences. Unauthorized access to computer material can be punished with a prison sentence of up to two years, while accessing data with the intent to commit further crimes such as fraud can be punished with a sentence of up to five years.
The discovery of the error comes amid increasing scrutiny of the UK business registration system. Companies House has made significant reforms in recent years aimed at improving transparency and reducing fraud, including introducing new identity verification rules for company directors.
But cybersecurity experts say the latest incident underscores the need for further investment in secure digital infrastructure, particularly for systems that store sensitive personal and corporate data.
Companies House has not yet confirmed how long the breach existed and whether data was accessed or misused before the service was shut down. Investigations into the breach are ongoing and the agency is expected to provide further updates once the review is complete.
