Directory Traversal Flaw Exposes UK Corporate Executives’ Personal Data via Companies House
What Happened – A directory‑traversal vulnerability in the UK Companies House WebFiling portal allowed authenticated users to view other companies’ dashboards, revealing directors’ email addresses, dates of birth and other personal details. The flaw existed for roughly five months before being reported and temporarily forced the service offline for remediation.
Why It Matters for TPRM –
- Executive personal data is a prime vector for spear‑phishing and social‑engineering attacks against third‑party vendors.
- Exposure of director details can enable fraudulent filing of accounts or unauthorized amendments to corporate records.
- Government‑run registries are often integrated into supply‑chain due‑diligence workflows; a breach erodes trust in those data feeds.
Who Is Affected – UK‑registered companies (≈5 million), their directors, and any third‑party services that rely on Companies House data for onboarding, credit checks, or compliance.
Recommended Actions –
- Instruct affected directors to verify and, if necessary, update their details on Companies House.
- Review any third‑party risk models that ingest Companies House data for accuracy and integrity.
- Enhance phishing‑resilience training for executive teams and vendors.
- Verify that contractual clauses with data‑hosting providers cover vulnerability disclosure and remediation timelines.
Technical Notes – The issue stemmed from a directory‑traversal flaw in the WebFiling UI that bypassed authentication checks when a user selected “file for another company” and entered a target company number. No CVE was assigned at time of reporting. Exposed data included full dates of birth, email addresses, and residential information. Source: DataBreachToday