UK Companies House WebFiling had a broken access control flaw for five months. The bug exposed private records of up to five million businesses. Directors' home addresses, dates of birth, and email addresses were visible to any authenticated person. Unauthorized modifications to corporate filings appeared possible.
John Hewitt, Director of Operations at Ghost Mail, found the flaw on Thursday March 12, 2026. He tried to reach Companies House but got no response. Hewitt contacted Dan Neidle, founder of Tax Policy Associates, who verified the exploit using a consenting firm (ClarityDW Ltd, owned by Jonathan Phillips).
An authenticated individual opens their own account panel. They select "file for another company" and enter any registration number (publicly available). The system prompts for a two-factor token the individual cannot provide. Pressing the browser's back button several times loads the target's private panel instead.
Neidle tested whether modifications would go through. A registered-office change generated a submission confirmation number. The receipt email went to Hewitt (the unauthorized party), not to the actual officer of the target entity.
People could get enough data about a company and its directors to potentially commit fraud — to pretend to be it.
— Dan Neidle, Founder, Tax Policy Associates
Companies House confirmed the bug originated in an October 2025 WebFiling update. Security experts on the Tax Policy Associates disclosure identified the root cause as a "authentication is not authorization" failure. The server validated login status but never checked per-entity access rights. Access control logic sat only at the UI layer.
CEO Andy King downplayed the scope. Only authenticated individuals with a valid auth token could have exploited the flaw, he said. But as Neidle noted, anyone can create a business on the platform and obtain credentials. The pool of potential exploiters is not limited to existing officers.
If we find evidence that anyone has used this issue to access or change another company's details without authorisation, we will take firm action.
— Andy King, CEO, Companies House
Mandiant's 2024 research found that new vulnerabilities are exploited within 15 days on average. Five months of exposure makes independent discovery by bad actors probable. Tax Policy Associates consulted security experts who outlined criminal scenarios including identity fraud and fraudulent bank accounts opened in victim entities' names.
Companies House shut WebFiling at 13:30 UTC on Friday March 13 after Neidle's alert. The platform stayed offline for the entire weekend. Independent testing confirmed the fix, and WebFiling came back at 09:00 UTC on Monday March 16. The 67-hour outage disrupted routine corporate filings across the UK.
Broken access control has ranked #1 on the OWASP Top 10 since 2021.
The agency reported the incident to the ICO and the NCSC (National Cyber Security Centre). Under UK GDPR, exposure of home addresses and birth dates qualifies as a high-risk breach. Direct notification to all affected individuals is required. The agency stated it will contact every listed business with instructions on how to verify records. Passport information and identity verification materials were not exposed, according to Companies House.
Tax Policy Associates has documented persistent fraud on this same registry. In September 2025, the organization uncovered fake banks registered with real bank names (Herran Finance). A separate investigation found 900,000 UK entities with no UK officers, showing 17x higher fraud indicators. In February 2025, Tax Policy Associates exposed fabricated businesses claiming £4 billion in revenue with fake auditor certifications. The Economic Crime and Corporate Transparency Act 2023 gave Companies House new verification powers. The WebFiling bug was live throughout the period those powers were being implemented.
Every UK director should review their Companies House filing history for unauthorized changes. Check for unexpected modifications to officer details, registered offices, or filed accounts. Small businesses face the highest risk, as they typically lack the multi-signatory processes that would catch fraudulent submissions. Monitor for phishing emails referencing corporate records. Report any suspicious activity to Companies House and Action Fraud. The ICO's response is pending.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
