UK Companies House flaw exposed data

The flaw was first demonstrated on 12 March 2026 by John Hewitt of Ghost Mail, who showed Tax Policy founder Dan Neidle a recorded Zoom demo that revealed viewing and editing of another company's private WebFiling dashboard. (taxpolicy.org.uk) Companies House says its investigation indicates the bug was introduced during an October 2025 WebFiling update and exposed non-public fields including full dates of birth, residential addresses and company email addresses. (gov.uk) Officials confirmed the issue was not publicly accessible and required a logged‑in user with an authorised WebFiling code, yet those authenticated sessions could reportedly be used to submit unauthorised filings such as accounts or changes to director details. (gov.uk) The service was taken offline at 13:30 on 13 March and brought back online after independent testing at 09:00 on 16 March, according to Companies House’s statement. (gov.uk) Companies House has proactively reported the incident to the Information Commissioner’s Office and the National Cyber Security Centre and said it will email every registered company address while it analyses logs for anomalies. (gov.uk) Investigations and reporting by Tax Policy and others note the vulnerability affected the registry of roughly five million incorporated companies and that the demo produced a filing confirmation number, though Companies House says there are “no reports at this stage” of confirmed unauthorised changes while the probe continues. (taxpolicy.org.uk) The failure coincides with a UK government digital‑identity consultation updated on 12 March 2026 and has prompted industry commentary — including a BiometricUpdate analysis — arguing the incident sharpens questions about oversight of private Digital Verification Service providers now operating under new statutory measures. (gov.uk)