Security failure at Companies House exposes millions of residential addresses and management posts

The office that registers all companies in the United Kingdom, Companies House, reopened its WebFilling service after closing it off as a matter of urgency to correct a security failure that reportedly allowed access to internal information from millions of companies. The problem appeared after an update made in October 2025 and would have remained active for several months, exposing sensitive data related to the direction and contact of those responsible for the registered companies.

The finding came to public opinion after researcher John Hewitt, known for his work with Ghost Mail, reported on the judgement and did not get sufficient response, so Dan Neidle, founder of the non-profit organization Tax Policy Associates, present the incident to Companies House. The technical description of the defect is unusually simple: by starting a session with a legitimate account and choosing to "present on behalf of another company," by entering a company number and going back into the browser, the session could be "stuck" to the file of another company. In other words, an authenticated user could end up looking at another company's management panel without the corresponding verification code.

The estimated scope of the problem is large: up to five million potentially affected records are discussed over a period of about five months. Data that could have become visible include birth dates, residential addresses and mail addresses associated with companies. Companies House confirmed that, according to its first findings, no passwords or documents used in identity verification (e.g. passports) were committed, and that documents already submitted publicly could not be modified by this ruling. The agency itself published a note explaining its initial evaluation and the measures taken: Communiqué de Companies House.

The agency further indicated that vulnerability could only be exploited by authenticated users and that the method allowed access to one-by-one records, which limits certain automated mass attacks but does not completely eliminate the risk of systematic abuse, for example to collect addresses or develop lists for phishing campaigns. Companies House has reported the incident to the Office of the United Kingdom Information Commissioner ( ICO) and the National Centre for Cyber Security ( NCSC), and ensures that the investigation is still under way.

Beyond chronology and official statements, the practical consequences of concern to companies and managers are clear. The exposure of personal addresses and e-mails increases the risk of targeted campaigns of social engineering, harassment, identity theft and fraud involving members of the council or administrators. Public information that provides commercial transparency also brings tension with privacy: the public record seeks to prevent financial crimes and increase transparency, but when technical mechanisms fail, the same openness can become a vulnerability.

What can companies and managers do now? First, review the notifications and activity history in Companies House to detect unauthorized changes. It is prudent to activate any warning mechanism that the record offers, and to check suspicious emails and calls that might seek to take advantage of filtered data. Persons whose homes are on the register may consider applying for the protection of the residential address where the regulations permit, and all companies should strengthen internal controls: validate notifications of changes in the registration through independent channels, check signatures and authorizations before accepting modifications and, if abnormal activity is detected, contact Companies House and consider formal notification to the ICO.

From the technical and organizational point of view, the incident highlights usual failures in the management of changes and deployments: updates that introduce regressions in session logic or access control are a recurrent source of leaks. Code audits, regression tests, access control reviews and responsible disclosure programmes (bug bounce) are measures that help detect failures before they reach production. In addition, public records with privacy impact must balance availability with strict security controls and a clear and transparent response plan when something goes wrong.

The situation also raises a broader reflection on confidence in digital public infrastructure. Business records are the pillars of the business ecosystem: they facilitate due diligence, recruitment and supervision. But its safe operation depends on both the quality of the software and the governance surrounding it: versions, tests, documentation and reporting processes. The communication of Companies House and the fact that they have informed regulatory bodies are necessary steps, but to regain confidence, it will be essential for research to determine whether the vulnerability was exploited and for lessons learned and improvements implemented to be published.

For those who want to follow the official evolution of the case it is appropriate to consult the primary sources: the notification of Companies House on the government site ( official detail) and the initial report of Tax Policy Associates that documents the discovery ( analysis of Dan Neiddle). It is also recommended to monitor the publications and guides of the ICO and NCSC for recommendations and steps to be taken if it is suspected that it has been affected.

In short, this incident is a reminder for administrations and companies: public transparency cannot be an excuse to neglect security. When the infrastructure that supports critical information fails, the consequences come out of the technical environment and affect the daily lives of people and businesses. The response will be measured not only by the corrections applied, but by the clarity, the speed of the investigation and the guarantees offered so that something similar does not happen again.