The technical team made a decision on Friday afternoon, March 13, 2026, in the Cardiff offices, which are the main headquarters of Companies House. A week prior, this decision would have likely looked unimaginable. The WebFiling service was taken down. At 1:30 PM, the system that almost all UK businesses use to submit their annual accounts, file confirmation statements, and update director information went unavailable, and it remained that way throughout the weekend.
Two days later, the agency would explain in a public statement that the cause was a security flaw that had been subtly present in the system since October 2025 and had just recently been shown to employees. Technically speaking, the error was almost laughably straightforward. When visiting the profile of another firm, a logged-in user could see secret director details that were never intended to be exposed to anybody outside of that particular company by pressing the browser back button four times.
| Category | Detail |
|---|---|
| The Agency | Companies House — UK’s official registrar of companies; an executive agency of the Department for Business and Trade; maintains the public register of all UK-incorporated companies; based in Cardiff with offices in London, Edinburgh, and Belfast |
| Discovery Date | 13 March 2026 — vulnerability identified by John Hewitt of corporate services provider Ghost Mail; subsequently publicized by Dan Neidle of Tax Policy Associates after Hewitt initially struggled to reach Companies House directly; official update page on GOV.UK |
| Vulnerability Origin | Introduced via a WebFiling system update in October 2025; remained undetected for approximately five months; functioned similarly to an Insecure Direct Object Reference (IDOR) flaw; could be triggered by pressing the browser back button four times while viewing another company’s profile |
| What Was Exposed | Logged-in WebFiling users could access non-public information about other companies’ directors — including dates of birth, residential addresses, company email addresses; could also potentially submit unauthorized filings such as account changes or director amendments |
| Affected Scope | Approximately 5 million registered UK companies fell within the potentially affected register; verified affected entities included major UK firms across the FTSE 100 with confirmed data exposure including AstraZeneca, Tesco, and Shell |
| Containment Timeline | WebFiling shut down at 1:30 PM Friday 13 March 2026; emergency remediation conducted over the weekend; service restored at 9 AM Monday 16 March 2026 after independent security testing |
| Official Response | CEO Andy King issued public apology on 16 March; incident reported to the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC); ongoing investigation into whether the flaw was exploited; King confirmed system design prevented automated bulk extraction |
| Critical Safeguards Maintained | Passwords were not compromised; identity verification data (passports, driving licences) was not exposed; existing filed documents were not altered; further analysis at Help Net Security and the Companies House public statement |
The account of how the vulnerability became known to the public is truly educational. On Thursday, March 12, John Hewitt, a worker at the corporate services company Ghost Mail, found the vulnerability and attempted to get in touch with Companies House. He contacted Dan Neidle of Tax Policy Associates, a tax research organization whose Twitter and LinkedIn presence has turned into an unofficial channel for whistleblowers in UK regulatory and tax concerns, after failing to get in touch with anyone with the proper authority.
Neidle went public with the demonstration on Friday morning after confirming the vulnerability—Hewitt remotely accessed his personal Companies House dashboard and changed his registered address as proof of concept. Companies House shut down WebFiling by Friday afternoon. In the vernacular of the cybersecurity world, the leak was handled properly. To the best of the agency’s knowledge, the vulnerability was not maliciously exploited prior to detection.
The most important aspect of the tale for the approximately 5 million organizations on the registry is what was revealed during the five months the vulnerability was active. Due to the vulnerability, any other registered firm’s non-public director information, including dates of birth, residence addresses, and company email addresses, might be accessed by authenticated WebFiling users.
Additionally, it made it possible for such users to submit fake account entries, altered registered addresses, and changes to director details on behalf of other businesses. At the very least, the damage was limited by the system architecture.
CEO Andy King stated that access was restricted to one firm record at a time, seen using the standard user interface; the vulnerability could not be automated to harvest data consistently. Technically, bulk data scraping was prohibited by design. This is a significant restriction, but it also relies on the supposition that no motivated attacker worked methodically through high-value targets one record at a time for five months.
There is a dismal list of businesses that have been verified to be under the impacted scope. The UK director of AstraZeneca, Tesco, Shell, and the majority of the FTSE 100. In theory, smaller businesses—the millions of single-director limited corporations that comprise the great majority of the register—were similarly vulnerable. All registered companies have received emails from Companies House asking them to check their filing history for unforeseen changes, especially changes to director details or unapproved account submissions.
The National Cyber Security Centre and the Information Commissioner’s Office have been informed, and an inquiry into whether the vulnerability was exploited while it was operational is currently underway. For a UK government body, Andy King’s public apology on March 16 was quite straightforward. It acknowledged that the incident had caused worry and annoyance and explicitly acknowledged that the system’s updating was partially to blame.
Reading the technical analysis released by independent security researchers in the days following the disclosure gives the impression that the Companies House incident is the type of vulnerability that arises when government digital systems are updated more quickly than the security review procedures that ought to go along with them.
The October 2025 update was a component of the larger changes brought about by the Economic Crime and Corporate Transparency Act 2023, a piece of legislation created especially to improve the integrity of the UK’s company registry and prevent the misuse of shell corporations. No one in the regulatory world has overlooked the irony of an anti-financial-crime legislation unintentionally leading to one of the biggest UK government data exposes in recent memory. Passwords were kept private. Documents used for identity verification were kept private.
Documents that were filed were not changed. These are significant and actual limitations. However, the fact that a system utilized by five million businesses was vulnerable for five months, that an external researcher found it instead of internal monitoring, and that the disclosure necessitated a third party going public on social media before the agency took action all point to a problem that goes beyond a single bug. The solution has been implemented. It will take longer for any government agency preparing similar reforms to learn the lessons.
