Companies House, the UK’s official registrar of companies, has disclosed a security flaw in its WebFiling service that exposed sensitive data tied to more than five million registered businesses.
The issue traces back to a system update rolled out in October 2025 and went unnoticed for five months before it was flagged.
The vulnerability meant logged-in users could access other companies’ records simply by manipulating browser navigation. That potentially put home addresses, email addresses, and dates of birth of company officers in view, and in some cases, may even have opened the door to unauthorized changes to filings.
In response, the organisation pulled the affected service offline to fix the issue and reported the incident to regulators, including the Information Commissioner’s Office and the National Cyber Security Centre.
Officials say there’s no sign of mass data scraping, noting that any access would have been limited to individual records viewed one at a time, but investigations are still ongoing.
Companies House said passwords were not compromised, and no data used as part of its identity verification process, such as passport information, was accessed. It added that no existing filed documents, such as accounts or confirmation statements, could have been altered.
“We believe that this issue could not have been used to extract data in large volumes or to access records systematically. Any access would have been limited to individual company records, viewed one at a time by a registered WebFiling user,” its statement read.
Noelle Murata, Sr. Security Engineer, Xcape Inc, commented: “For security professionals, this incident is a poignant reminder that even the most trusted government portals on the Internet are susceptible to fundamental logic flaws when change management fails. This lapse highlights a systemic breakdown in regression testing and secure code review, as a basic Insecure Direct Object Reference (IDOR) should never survive a production deployment.”
She added that defenders must prioritize automated security integration within the CI/CD pipeline and implement robust, identity-aware access controls that validate permissions on every single request.
“Moving at the speed of business is no excuse for leaving the back door wide open to five million boardroom secrets.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.