← Back to diffwire

Major glitch exposes personal director records for thousands

5 articles | Updated 2h ago | Created 1d ago
UK CYBERSECURITY
Story image

A critical security flaw has exposed confidential data, including residential addresses and phone numbers of directors at millions of UK firms. The issue was identified after a back button blunder allowed users to access rival company registers through the WebFiling service run by Companies House.

Key Points

  1. 1
    A critical 'back button' glitch on the WebFiling service operated by Companies House potentially allowed users to access confidential records from rival companies.
  2. 2
    The security issue, which has been active since October (year unspecified in text), exposed personal data including residential addresses of business directors across millions of UK firms and individuals.
  3. 3
    Companies House was forced to take the entire WebFiling platform offline for a weekend repair before bringing it back online on March 17th.

Developments

[Mar] Mar WebFiling service brought back online after being shut down to fix the security issue; warning issued regarding exposed data of millions (Sources: Birminghammail, The Register).
(Oct) Security flaw was active and potentially exposing company information since this date.
Warning for millions of people who have details on Companies House
Birminghammail.co.uk [email protected] (James Rodger) 3h ago

A technical glitch on the Companies House website potentially allowed logged-in users with authorized codes to view and edit other firms' personal data like home addresses. The chief executive apologized for the error but stated that while unauthorized access was possible in theory, there is no evidence it has been used systematically or by large volumes of people so far.

Flaw in UK's corporate registry let directors rummage through rival records
The Register The Register 21h ago

Companies House temporarily shut down its UK corporate registry's web filing service on March 13 due to security flaws allowing logged-in users potentially view or modify confidential data like personal addresses and company emails. The agency confirmed that while the vulnerability existed, passwords could not be accessed nor existing documents altered, with access limited individually rather than enabling large-scale systematic extraction of records.

Millions of UK firms on alert after Companies House data exposure
Helpnetsecurity Sinisa Markovic 1d ago
UK’s Companies House confirms security flaw exposed business data
Bleepingcomputer Sergiu Gatlan 1d ago

Companies Home confirmed that its security flaw exposed the data (including home addresses) of five million companies from October 2025 to January, allowing logged-in users to view other company records one entry at a time. The vulnerability was discovered by Dan Neidle after failing contact with Ghost Mail's John Hewitt and required no additional authentication beyond logging into an account for the first purpose before navigating away via keyboard shortcuts.

Millions of UK businesses exposed by Companies House security flaw
Independent.co.uk Anthony Cuthbertson 1d ago

A major vulnerability in Companies House's WebFiling system allowed unauthorized users to view private details like directors' residential addresses and alter company information by pressing the back key four times, though an internal investigation found no evidence of actual data access or changes without permission since it was discovered last Friday.