WebFiling Vulnerability Exposes UK Director Details and Enables Record Tampering
What Happened — A flaw in Companies House’s WebFiling portal allowed unauthenticated users to view personal director information and to alter company filing records. The service was taken offline, the vulnerability patched, and the portal restored.
Why It Matters for TPRM —
- Sensitive director data can be leveraged for social‑engineering attacks against third‑party vendors.
- Unauthorized changes to company records create legal and compliance risks for partners that rely on official filings.
- The incident highlights the need for continuous monitoring of government‑provided data sources.
Who Is Affected — UK‑registered companies, their directors, and any third‑party services that ingest Companies House data (e.g., credit‑risk platforms, compliance SaaS).
Recommended Actions —
- Review any reliance on Companies House data for due‑diligence or onboarding.
- Implement additional verification of director information from independent sources.
- Monitor the Companies House “WebFiling” service status and subscribe to change‑notification feeds.
Technical Notes — The issue appears to be an insecure direct object reference (IDOR) / improper access control flaw; no CVE has been assigned yet. Exposed data included director names, dates of birth, and appointment histories; altered data involved company filing entries. Source: HackRead