Companies House in the UK Offers Apology for Data Breach and Access Problems

Quick Read

• UK’s Companies House faced a data leak because of a flaw in the website.
• Confidential company data was exposed to unauthorized individuals.
• Data leak permitted changes to company records.
• The issue was identified as an insecure direct object reference (IDOR).
• Companies House has notified the appropriate authorities about the event.
• Registrants are encouraged to confirm their company information for precision.

Data Leak at UK Companies House Raises Security Alarm

Companies House Issues Apology

The CEO of the UK’s Companies House, Andy King, has expressed regret over a major security breach that revealed sensitive company data to unauthorized access. The flaw in the WebFiling service enabled users to view and change information of unrelated companies, prompting grave privacy and security worries.

Identification and Effects

The flaw, first highlighted by UK tax analyst Dan Neidle, was revealed via a tip-off. This security weakness uncovered sensitive information such as birth dates, home addresses, and email addresses, affecting the integrity of records for more than 5 million registered businesses.

Details of the Vulnerability

To exploit the weakness required minimal technical ability. Users with valid access could modify records by merely inputting a company’s registration number. The authentication process of the WebFiling system could be circumvented by using the browser’s back button, taking advantage of a vulnerability known as insecure direct object references (IDOR).

Reactions and Actions

In response to media reports, Companies House promptly shut down the WebFiling system. The problem arose from an update implemented in October 2025. The occurrence has been reported to the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC) for further examination.

Future Considerations

Companies House is presently reviewing its data for any irregularities and has advised registrants to check the accuracy of their filing history. This situation emphasizes the crucial need for strong security protocols in handling sensitive business data.

Conclusion

The data leak at the UK’s Companies House has raised major alarms regarding data security and the safeguarding of sensitive company information. While swift actions have been implemented to remedy the vulnerability, the incident highlights the necessity for ongoing vigilance and enhancement of cybersecurity protocols.

Q&A

Q: What led to the data leak at Companies House?

A: The leak was due to a vulnerability in the WebFiling system that granted unauthorized access to company information.

Q: How was the flaw taken advantage of?

A: The vulnerability enabled users to bypass authentication by utilizing a company’s registration number and the browser’s back button.

Q: What kind of information was compromised in the breach?

A: Sensitive details, including birth dates, home addresses, and email addresses, were compromised.

Q: What steps have been undertaken by Companies House?

A: Companies House has deactivated the WebFiling system, reported the matter to authorities, and urged registrants to verify their information.

Q: How many companies were impacted by the leak?

A: More than 5 million registered businesses were potentially impacted by the breach.

Q: What is insecure direct object reference (IDOR)?

A: IDOR is a type of security flaw that allows unauthorized access to objects due to inadequate access controls.