UK Companies House WebFiling Flaw Exposes Data of 5 Million Firms
What Happened — A logic flaw in the Companies House WebFiling portal allowed any authenticated user to view and potentially edit another company’s record by simply navigating back after selecting “file for another company.” The issue persisted from October 2025 until March 2026, exposing personal details (home addresses, dates of birth, email addresses) for roughly five million registered entities.
Why It Matters for TPRM —
- Unauthorized access to corporate registries can reveal sensitive director information, increasing phishing and social‑engineering risk for third‑party partners.
- Potential for fraudulent filings could affect supply‑chain contracts, credit assessments, and regulatory compliance.
- Government‑run registries are often a trusted data source; a breach erodes confidence in due‑diligence processes.
Who Is Affected — UK‑based corporations, their directors, and any downstream partners that rely on Companies House data for vetting, KYC, or credit checks.
Recommended Actions —
- Review any third‑party data feeds sourced from Companies House for anomalies.
- Re‑validate director and contact information for critical vendors.
- Update internal controls to treat data from the registry as potentially compromised for the affected period.
- Monitor for suspicious filings or changes in company records.
Technical Notes — The flaw stemmed from an authorization bypass introduced during an October 2025 WebFiling system update. No passwords or passport data were compromised, and no filed documents were altered, but personal identifiers were exposed one record at a time. Source: BleepingComputer