Companies House suspends filing service after cyber breach exposes director data

Companies House has suspended its online WebFiling service after a cyber vulnerability allowed users to access and edit sensitive personal data of some businesses registered on the UK business register.

The issue came after a security flaw in the government agency’s online dashboard allowed people to log into other companies’ accounts by pressing the browser’s back button. According to reports, the flaw could expose private information including directors’ home addresses, email addresses and dates of birth – data that could be used for fraud or identity theft.

The vulnerability was identified by Dan Neidle, founder of Tax Policy Associates, who informed Companies House of the issue on Friday. Needle warned that this error could have a negative impact if it existed for a long time before it was noticed.

“This could be worse if it’s been around for a long time,” he explained, describing the risk as “a completely crazy mistake about how easy it is to find.”

Following the warning, Companies House confirmed that it had closed the WebFiling system while the investigation was ongoing. The platform is widely used by businesses across the UK to submit official documents such as annual accounts, confirmation statements and other legal documents.

A Companies House spokesman said: “We are aware of the issue with our WebFiling service and have closed it while we investigate. We apologize for any inconvenience to our customers.”

A temporary suspension of service may disrupt normal company maintenance while technical teams assess the extent of the problem and determine whether data has been improperly accessed.

Cybersecurity experts say vulnerabilities of this nature can create opportunities for criminal activity, especially when sensitive business information is involved. Personal data such as directors’ home addresses and dates of birth can be used by fraudsters to impersonate business leaders, submit false documents or attempt to steal their information.

Graeme Stewart, head of public sector at cyber security firm Check Point Software, warned that the flaw could put corporate directors at greater risk if they were exploited by malicious actors.

“This is the latest in a series of public sector data breaches that threaten the privacy, security and personal safety of hundreds of thousands of corporate executives,” he said.

“A bug of this scale is a gift to hackers who want to upload fake documents, pose as CEOs and facilitate data theft. It’s time for a complete overhaul of core systems, with security built in from the start rather than added as an afterthought.”

The incident also raised concerns about the robustness of the digital systems used by government agencies to manage important national data. Companies House holds records for over five million UK companies and processes millions of filings every year.

Kenny MacAulay, chief executive of accounting software platform Acting Office, said the vulnerability highlights deeper issues around digital security and system oversight.

“Another day, another big public sector data error,” he said. “It defies belief that hackers can easily access the entire dashboard of tens of thousands of companies and their various directors across the UK.

“Basic compliance requirements must be in place to prevent data leaks like this from happening, where sites are regularly checked for bugs and security weaknesses.”

Under the UK’s Computer Misuse Act 1990, gaining unauthorized access to computer systems or data can have serious legal consequences. Accessing computer equipment without permission can lead to up to two years in prison, while accessing data with the intent to commit additional crimes such as fraud can carry penalties of up to five years.

The discovery of the error comes amid increasing scrutiny of the UK’s company registration system. Companies House has made significant changes in recent years aimed at improving transparency and reducing fraud, including the introduction of new identity verification rules for company directors.

However, cybersecurity experts say the latest incident underscores the need for continued investment in secure digital infrastructure, especially in systems that handle sensitive personal and company data.

Companies House has not confirmed how long the vulnerability existed or whether any data was accessed or misused before the service was taken offline. The investigation into the violation is ongoing, and the agency is expected to provide additional updates once the review is complete.