ACCORDING to Tax Policy Associates, a critical vulnerability was found in a web application of Companies House, the government agency responsible for maintaining the public register of UK companies. The security hole was discovered by John Hewitt of Ghost Mail on 12 March, and the patch was rolled out after the service was shut down on Friday, with the flaw introduced in October 2025.
The attacker could have accessed the non-public information of five million registered firms, including directors’ dates of birth, home addresses and email addresses, and might have changed a company’s details or submitted unauthorized filings. While the vulnerability required an authenticated user, exploiting it could have been easy and required no technical skills, by selecting the file-for-another-company option and bypassing an authentication code prompt.
Companies House stated the issue was not accessible to the general public and that passwords and identity-verification data such as passports were not exposed. It added that the vulnerability could not have been used to extract data in large volumes or access records systematically, with access limited to individual company records viewed one at a time by a registered WebFiling user.