UK Companies House Registry Breach: 4-Month Data Exposure Through WebFiling Service
Companies House, the UK's official business registry, suffered a security flaw in its WebFiling service that exposed sensitive business information for approximately 4 months (October 2025 - present). The breach affected a government-critical infrastructure system handling registration data for all UK companies.
Affected
Incident Overview
Companies House, the UK government agency responsible for maintaining the registry of all incorporated companies in the United Kingdom, disclosed a security vulnerability in its WebFiling service that exposed business information. The flaw remained undetected for approximately four months, from October 2025 until discovery and remediation in the current period. The service was taken offline on Friday to apply fixes, indicating reactive incident response rather than proactive discovery.
Technical Impact & Scope
While specific technical details of the vulnerability are not provided in the available information, the exposure of "companies' information" suggests potential compromise of registration documents, officer details, financial filings, or other sensitive business records stored within the registry. The four-month exposure window significantly increases the likelihood of data exfiltration and misuse. The fact that WebFiling—a public-facing service—was vulnerable suggests either an authentication bypass, injection vulnerability, or insecure direct object reference (IDOR) affecting multiple organizations simultaneously.
Threat Implications
This breach is particularly concerning due to Companies House's role as critical national infrastructure. The exposed data could enable: (1) corporate espionage and competitive intelligence gathering, (2) fraud and identity exploitation using officer information, (3) supply chain attacks targeting UK business networks, (4) regulatory evasion through theft of compliance documents. Bad actors targeting UK businesses now have a centralized source of verified corporate intelligence.
Recommended Defender Actions
Organizations should immediately: verify the integrity of their Companies House filings, monitor for suspicious access patterns, implement additional identity verification for accounts with officer privileges, review financial and corporate governance documents for unauthorized access, and establish detection for any follow-on exploitation attempts. Incident responders should determine their organization's exact exposure window and whether sensitive data was accessed.
Strategic Assessment
This incident highlights the vulnerability of centralized government registries and the cascading risks when such systems are compromised. The UK should conduct a comprehensive security audit of all Companies House systems and implement enhanced monitoring. The four-month detection lag raises questions about security monitoring capabilities and incident response maturity within UK government digital services.
Sources