"Logged-in users may have been able to view and edit other companies' details, including directors' home addresses and emails, without their consent. Companies House said it was made aware of the security issue on Friday and it had been resolved by Monday. It said it had no current reports of data having been accessed."
"The security issue was introduced when it updated their WebFiling systems - the online service by which UK company directors submit legal documents such as annual accounts - in October 2025. The flaw was reportedly discovered on Thursday by John Hewitt from the corporate services provider Ghost Mail, who alerted Companies House and the independent think tank the Tax Policy Associates."
"Hewitt discovered that by going to his own company's dashboard and trying to view another which he didn't own and pressing the back key four times, he was suddenly able to see the dashboard of the other company. Companies House said it closed its WebFiling system on Friday while it investigated the issue."
Companies House, the UK government agency responsible for company registration, discovered a security flaw in its WebFiling system introduced during an October 2025 update. The vulnerability allowed logged-in users to access and potentially edit other companies' confidential information, including directors' dates of birth, residential addresses, and email addresses without authorization. The issue was identified on Thursday by John Hewitt from Ghost Mail, who discovered he could access another company's dashboard by navigating backwards through browser history. Companies House immediately closed the WebFiling system on Friday for investigation and resolved the issue by Monday. The agency reported no confirmed data breaches and notified the Information Commissioner's Office and National Cyber Security Centre.
#data-security-breach #companies-house #webfiling-system-vulnerability #cybersecurity-incident #uk-government-services
Read at www.bbc.com
Unable to calculate read time
Collection
[
|
...
]