"Our investigation has established that specific data from individual companies not normally published on the Companies House register may have been visible to other logged-in WebFiling users. This includes dates of birth, residential addresses, and company email addresses. It may also have been possible for unauthorized filings - such as accounts or changes of director - to have been made on another company's record."
"We believe that this issue could not have been used to extract data in large volumes or to access records systematically. Any access would have been limited to individual company records, viewed one at a time by a registered WebFiling user."
"An internal investigation revealed that changes made to the WebFiling platform in October 2025 introduced the unexpected behavior, but attention was first drawn to it on March 13 by tax professional Dan Neidle."
Companies House, the UK's business register agency, temporarily shut down its WebFiling service on March 13 after discovering a security vulnerability. The flaw allowed logged-in users to view and modify hidden personal information belonging to other companies, including directors' dates of birth, residential addresses, and company email addresses. Unauthorized filings such as account changes or director modifications could potentially have been made on other companies' records. The vulnerability affected individual company records accessed one at a time and could not extract data in large volumes. Passwords and identity verification documents remained protected. An internal investigation traced the issue to platform changes made in October 2025, with the problem first reported by tax professional Dan Neidle on March 13.
#data-security-breach #companies-house #webfiling-platform #personal-data-exposure #cybersecurity-incident
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]