A critical security flaw in the official UK corporate register left the private details of millions of company directors exposed to potential fraud for at least six months, it has been revealed.
The vulnerability, described by one expert as “absolutely insane” in its simplicity, was discovered on Thursday by John Hewitt, Operations Director at corporate services provider Ghost Mail. He alerted Dan Neidle, founder of the think tank Tax Policy Associates, who then raised the alarm with Companies House.
How a ‘back button’ bypassed security
The bug resided in the Companies House WebFiling service, used by businesses to submit official documents. According to the agency’s own investigation, the flaw was likely introduced during a system update in October 2025.
Its operation was alarmingly straightforward. A logged-in user could go to the ‘file for another company’ option and enter any company registration number. Instead of being blocked for lacking the correct authentication code, repeatedly pressing the ‘back’ button on their web browser would land them in the dashboard of the unrelated company.
From there, they could view non-public information including directors’ dates of birth, residential addresses, and company email addresses. Potentially, they could also make unauthorised filings, such as submitting accounts or changing director details.
Dan Neidle warned the Press Association that such vulnerabilities are typically exploited within an average of 15 days by security researchers’ estimates. “This was a particularly easy vulnerability with no hacking required,” he said.
A particularly concerning aspect, confirmed in the research briefing, was that any confirmation of changes made was emailed to the user who performed the action, not to the company whose record was altered. This meant a victim company would receive no immediate alert that its details had been tampered with.
Potential for fraud and a swift shutdown
The potential for fraud was significant. Experts warned the flaw could have been used to impersonate companies to obtain loans, change registered addresses to intercept sensitive mail, or file fraudulent accounts. The exposed personal data of directors also opened avenues for phishing, identity theft, and social engineering attacks, particularly against individuals at smaller firms.
Companies House stressed several limitations. Passwords were not viewable, and sensitive identity verification data like passport details was not accessible. Already-filed historical documents could not be altered. The agency’s chief executive, Andy King, stated, “We believe that this issue could not have been used to extract data in large volumes or to access records systematically.” He said any access would have been limited to individual company records, viewed one at a time.
Upon being alerted by Neidle on Friday, 13 March, Companies House took the WebFiling service offline at 1:30 pm that day. It was reopened at 9 am on Monday, 16 March, after what the agency described as independent testing. The incident has been proactively reported to both the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC).
Apology and ongoing checks
In a statement, Andy King apologised for the incident. “I recognise that this incident will have caused concern and inconvenience to many of the companies and individuals who rely on our services. I am sorry for that,” he said. He vowed to take “firm action” if evidence emerges that anyone exploited the bug maliciously.
The agency said it was not yet aware of any confirmed cases of data being accessed or changed without permission, but its investigation continues. Companies House is now analysing its data for “anomalies” and plans to email guidance to every company’s registered address on how to check their details for signs of tampering.
A glitch in a context of reform
The incident casts a spotlight on the challenges facing Companies House as it undergoes its most significant reform in 170 years. The Economic Crime and Corporate Transparency Act 2023 aims to transform the register from a passive recipient of information into an active gatekeeper, with powers to verify identities and challenge dubious filings.
This glitch, however, is not an isolated concern. In November 2022, MPs were told the agency was “dysfunctional” and facilitating fraud due to its historical lack of verification. The current incident also involves the “One Login” digital identity system, which has faced previous scrutiny.
Recent data protection reforms, which came into force in early 2025, are designed to help. They allow individuals to apply to suppress personal information like full birth dates and home addresses from the public register—measures intended to protect against fraud and physical harm.
As the clean-up from this breach begins, businesses also face another imminent change. The joint HMRC/Companies House online filing service is set to close on 31 March 2026, requiring companies to use commercial software for future submissions.
For now, Companies House has urged all companies to review their publicly listed details. Andy King pledged the agency was “committed to being transparent throughout” the ongoing investigation into a flaw that laid bare the sensitive data underpinning British corporate life for half a year.
