0 likes5 views

Companies House suspends online filing service after cyber vulnerability exposes director data

March 16, 2026

Companies House has suspended its online WebFiling service after a cyber vulnerability allowed users to access and potentially edit sensitive personal data belonging to other businesses registered on the UK’s corporate register.

The issue emerged after a security flaw in the government agency’s online dashboard allowed individuals to navigate into the accounts of other companies simply by pressing the browser’s back button. According to reports, the glitch could expose confidential information including directors’ home addresses, email addresses and dates of birth – data that could potentially be exploited for fraud or identity theft.

The vulnerability was identified by Dan Neidle, founder of Tax Policy Associates, who alerted Companies House to the issue on Friday. Neidle warned that the flaw could have serious implications if it had existed for a prolonged period before being detected.

“This could be very serious if it’s been around for a long time,” he said, describing the vulnerability as “an absolutely insane flaw in how easy it is to find.”

Following the alert, Companies House confirmed it had shut down the WebFiling system while an investigation takes place. The platform is widely used by businesses across the UK to submit official documents such as annual accounts, confirmation statements and other statutory filings.

A spokesperson for Companies House said: “We are aware of an issue with our WebFiling service and have closed it while we investigate. We apologise for any inconvenience to our customers.”

The temporary suspension of the service is likely to disrupt routine company filings while technical teams assess the scale of the problem and determine whether any data was accessed improperly.

Cybersecurity experts say vulnerabilities of this nature could create opportunities for criminal activity, particularly where sensitive corporate information is involved. Personal data such as directors’ home addresses and dates of birth can be used by fraudsters to impersonate business leaders, submit fraudulent filings or attempt identity theft.

Graeme Stewart, head of public sector at cybersecurity firm Check Point Software, warned the flaw could have exposed company directors to significant risk if exploited by malicious actors.

“This is the latest in a series of public sector data disasters that threatens the privacy, security and personal safety of hundreds of thousands of company directors,” he said.

“A bug of this scale is a gift to cybercriminals seeking to upload false documentation, impersonate CEOs and facilitate data theft. It’s time for a complete overhaul of core systems, with security built in from the outset rather than added as an afterthought.”

The incident has also raised concerns about the resilience of digital systems used by government agencies to manage critical national data. Companies House maintains records for more than five million UK companies and processes millions of filings every year.

Kenny MacAulay, chief executive of accounting software platform Acting Office, said the vulnerability highlighted deeper issues around digital security and system oversight.

“Another day, another massive public sector data blunder,” he said. “It defies belief that hackers can so easily gain access to seemingly the entire dashboard of tens of thousands of companies and their respective directors across the UK.

“Basic compliance requirements should be in place to prevent data leakage like this from happening, with sites thoroughly checked for bugs and security weaknesses on a regular basis.”

Under the UK’s Computer Misuse Act 1990, gaining unauthorised access to computer systems or data can carry serious legal consequences. Accessing computer material without permission can lead to a prison sentence of up to two years, while accessing data with intent to commit further crimes such as fraud can carry penalties of up to five years.

The discovery of the flaw comes amid increasing scrutiny of the UK’s corporate registry system. Companies House has undergone significant reforms in recent years aimed at improving transparency and reducing fraud, including the introduction of new identity verification rules for company directors.

However, cybersecurity specialists say the latest incident underlines the need for continued investment in secure digital infrastructure, particularly for systems that hold sensitive personal and corporate data.

Companies House has not yet confirmed how long the vulnerability existed or whether any data was accessed or misused before the service was taken offline. Investigations into the breach are ongoing, and the agency is expected to provide further updates once the review is complete.