> threat.advisory —— target: UK company directors —— source: Companies House WebFiling —— records_exposed: 5,000,000 —— action_required: IMMEDIATE<span class="cursor-blink">_</span>_
On the 16th of March 2026, Companies House confirmed a security flaw in its WebFiling service that had been active since October 2025 — exposing the personal details of directors across five million UK registered companies. The vulnerability, first reported by tax policy analyst Dan Neidle, allowed any logged-in user to access another company's dashboard by navigating backwards during the 'file for another company' process. The exposed information included directors' home addresses, email addresses, dates of birth, and residential details.
For six months, this data was accessible to anyone with a Companies House WebFiling account. Whilst no specific threat actor has been identified, the nature of the flaw means that scammers could have harvested director information for spear-phishing campaigns, identity fraud, or social engineering attacks against UK businesses.
If you are listed as a director, secretary, or person of significant control for any UK registered company, your personal data may have been exposed. This includes your home address, email address, and date of birth. Companies House has not issued individual notifications, so you should assume your data was potentially accessible and take protective action.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call| Action | Detail |
|---|---|
| Check your Companies House details | Log in to WebFiling and verify that your registered details are correct. Look for any unauthorised changes — altered registered addresses, new officers you didn't appoint, or filing history you don't recognise. Criminals who obtained director details could attempt to file fraudulent documents to take control of your company. |
| Be alert to targeted phishing | With your home address, email, and date of birth, attackers can craft highly convincing spear-phishing emails that appear to come from HMRC, your bank, your accountant, or Companies House itself. Treat any unexpected communication requesting action with extreme suspicion — especially if it references your company or personal details. |
| Consider a credit check | Your date of birth and home address are key identity verification data points. Criminals could use them to apply for credit in your name. Run a free credit check through Experian, Equifax, or TransUnion to verify that no unauthorised applications have been made. Consider placing a CIFAS protective registration on your credit file. |
| Use a registered office service | If your home address is listed as your company's registered office, consider switching to a registered office service. This reduces the amount of personal information publicly associated with your company and limits your exposure in future incidents. |
| Enable two-factor authentication | Ensure that your Companies House WebFiling account, your email accounts, and your banking are all protected with multi-factor authentication. If an attacker has your email address, MFA is the primary control preventing them from accessing your accounts. |
The Companies House WebFiling flaw is the latest in a long series of UK Government system failures that have exposed citizens' personal data — a pattern we have documented extensively in our Breach Deep Dive series. A navigation flaw that allowed users to access other companies' dashboards is not a sophisticated vulnerability — it is a basic access control failure that would be identified by any competent web application penetration test.
The flaw was active for six months before being reported and fixed. During that time, there was no detection, no monitoring alert, and no proactive identification by Companies House's own security processes. The exposure was discovered by a member of the public, not by the organisation responsible for the system.
For UK businesses, the lesson is twofold. First, you cannot rely on Government systems to protect your personal data — you must take your own protective measures. Second, if your own business operates web applications that handle personal data, you must test them. Access control flaws of this nature are among the most common findings in web application penetration testing. If Companies House had commissioned a penetration test of WebFiling, this flaw would have been identified in minutes.
Our web application penetration testing identifies access control flaws, authentication weaknesses, and data exposure vulnerabilities — the exact categories of issue that affected Companies House. If your application handles customer or employee data, test it before someone else finds the flaw.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call