security Bearish 7

Companies House Suspends WebFiling After Critical Data Exposure Glitch

· 3 min read · Verified by 2 sources · By Cyber Intelligence Brief Editorial
Share

Key Takeaways

  • Companies House has taken its WebFiling service offline following the discovery of a severe vulnerability that allowed users to view and edit the personal data of other businesses.
  • The flaw, which exposed directors' home addresses and dates of birth, was triggered by a simple browser navigation action, raising significant concerns over corporate identity theft and fraud.

Mentioned

Companies House company Dan Neidle person Tax Policy Associates company AstraZeneca company AZN Shell company SHEL Tesco company TSCO

Key Intelligence

Key Facts

  1. 1WebFiling service suspended on March 13, 2026, after a critical vulnerability was discovered.
  2. 2The glitch allowed users to view and edit other companies' data by simply pressing the 'back' key.
  3. 3Exposed information includes directors' home addresses, email addresses, and dates of birth.
  4. 4Tax expert Dan Neidle of Tax Policy Associates alerted Companies House to the issue on Friday.
  5. 5Companies House has advised users to screenshot error messages for filing deadline leniency.

Who's Affected

Companies House
companyNegative
Company Directors
personNegative
AstraZeneca/Shell/Tesco
companyNegative
Fraudsters
personPositive

Analysis

The suspension of the UK’s Companies House WebFiling service marks a significant failure in the digital infrastructure of one of the world’s most critical corporate registries. The vulnerability, characterized by tax expert Dan Neidle as "absolutely insane," allowed users to bypass standard authentication barriers simply by using a browser's back button. This glitch was not a sophisticated cyberattack but a fundamental breakdown in session management, exposing sensitive personal data of directors across the UK’s corporate landscape, including those at FTSE 100 giants like Shell, AstraZeneca, and Tesco.

The technical nature of the flaw—whereby a user could navigate into the dashboard of a different entity—suggests a failure in how the WebFiling platform handled state and session tokens. In modern web architecture, such session-management or Insecure Direct Object Reference (IDOR) vulnerabilities are considered elementary security oversights. For a government agency tasked with maintaining the integrity of the UK's business environment, the exposure of home addresses, dates of birth, and email addresses provides a potential gold mine for identity thieves and fraudsters.

For major corporations like AstraZeneca or Shell, the potential for corporate hijacking, however brief, necessitates an immediate and thorough forensic audit of all filings made during the period the vulnerability was live.

The implications extend far beyond simple data privacy. As Neidle pointed out, the ability to not only view but edit data is the most alarming aspect. Fraudsters could theoretically change a company’s registered office address to a location under their control. Once the address is changed, they could intercept official correspondence, apply for credit in the company’s name, or even attempt to file fraudulent accounts to manipulate market perceptions or facilitate money laundering. For major corporations like AstraZeneca or Shell, the potential for corporate hijacking, however brief, necessitates an immediate and thorough forensic audit of all filings made during the period the vulnerability was live.

What to Watch

From a regulatory perspective, this incident arrives at a sensitive time. The UK government has been pushing for greater transparency and more robust powers for Companies House under the Economic Crime and Corporate Transparency Act. This legislation was intended to transform Companies House from a passive recipient of information into a proactive gatekeeper. However, this security lapse undermines public and corporate trust in the agency's ability to handle the very data it is now empowered to verify more strictly. If the vulnerability was present for an extended period—Neidle suggests anything over 15 days is high risk—the Information Commissioner’s Office (ICO) may launch an investigation into potential breaches of the UK GDPR.

Looking ahead, the recovery process for Companies House will involve more than just a technical patch. The agency must now provide a transparent account of how long this vulnerability existed and whether there is evidence of unauthorized access or data exfiltration. For businesses, the immediate priority is to monitor their filings and ensure no unauthorized changes were made. This event serves as a stark reminder that even the most trusted public institutions are susceptible to basic web vulnerabilities, and it highlights the critical role of independent researchers and whistleblowers in the cybersecurity ecosystem.

Timeline

Timeline

  1. Vulnerability Discovered

  2. Companies House Alerted

  3. Service Suspension

  4. Filing Guidance Issued

Related Stories

security

Embee Software Targets 100% DPDP Compliance with New Microsoft Security Stack

Embee Software has launched an expanded cybersecurity portfolio centered on Microsoft’s security ecosystem and Zero Trust principles. The move aims to bolster cyber resilience for Indian firms while ensuring compliance with the Digital Personal Data Protection (DPDP) Act.

security

ISI CCTV Espionage Ring Leverages Women and Minors for Surveillance

Intelligence reports have uncovered a sophisticated espionage operation orchestrated by Pakistan's ISI, utilizing a network of women and underage recruits to manage and exploit CCTV surveillance systems. This hybrid warfare tactic combines traditional human intelligence with technical IoT vulnerabilities to monitor sensitive locations and public infrastructure.

security

India Data Center Capacity to Hit 4 GW by FY30 with ₹1.5T+ Investment

India's data center capacity is projected to quadruple to 4 GW by fiscal year 2030, driven by investments between ₹1.5 lakh crore and ₹4 lakh crore. This massive infrastructure surge reflects the nation's push for data sovereignty and the rising demands of AI and 5G technologies.

security

Reddit Targets 'Fishy' Bots with Mandatory Verification or Restriction

Reddit is launching a new enforcement mechanism that requires suspicious accounts and automated bots to undergo verification or face immediate platform restrictions. This move marks a significant escalation in the platform's battle against coordinated inauthentic behavior and spam as it seeks to protect its data ecosystem.

From the Network

Legal

Companies House Suspends WebFiling After Critical Data Vulnerability Exposed

The UK’s Companies House has taken its WebFiling service offline following the discovery of a critical security flaw that allowed users to view and edit sensitive personal data of company directors. T

How we covered this story

Every story in our cybersecurity coverage is assembled from multiple primary sources, cross-referenced for factual consistency, and scored along three independent dimensions: sentiment, operational impact, and source-cluster confidence. Single-source rumors and unverifiable claims do not pass our editorial gate. When a story shows "Verified by N sources" with N≥2, the development is independently corroborated; when N=1, we mark it explicitly so readers can weigh the signal accordingly.

Impact scoring uses a 1-10 scale weighted toward regulatory, financial, and operational consequence rather than coverage volume. A topic that runs in every outlet but moves no real decisions ranks lower than a niche regulatory filing that reshapes how operators in the cybersecurity space have to behave. Read our full methodology for the scoring rubric, our glossary for term definitions, and our trends index for the longitudinal view across the beat.

Signal on this pageWhat it tells you
Verified by N sourcesIndependent corroboration count. N≥2 is our confidence floor; N=1 is marked explicitly.
Impact score (1-10)Regulatory + financial + operational weight. 8+ signals an experienced-operator action item.
SentimentFive-tier classification trained on labeled cybersecurity-specific corpora.
TimelineWhere applicable, the related-events sequence that contextualizes today's development.