UK Companies House security blunder leaves director data exposed

accountingweb.co.uk · mmarian · 19 days ago · view on HN · exploit
0 net
Tags
exploit microsoft
Companies House security blunder leaves director data exposed | AccountingWEB Tech Tech pulse Tom Herbert Technology editor AccountingWEB Share this content Save content Have you found this content useful? Use the button above to save it to your profile. Advertisement Guide Sponsored Four tax and accounting predictions in 2025 Industry insights Cloud2Me 23rd Feb 2026 Survived January? Strengthen IT Now Bright 12th Feb 2026 Staying on top of VS01s in the ECCTA reforms BGL Corporate Solutions 5th Feb 2026 How one firm transformed its CoSec workflow View more istock_NicoElNino_AW Companies House security blunder leaves director data exposed by Tom Herbert A security flaw on the UK’s official corporate register left the confidential details of more than five million companies at risk, with WebFiling users able to view and amend items for other companies, including director names and addresses, and potentially upload fraudulent accounts. 15th Mar 2026 41 comments Tom Herbert Technology editor AccountingWEB Share this content Save content Have you found this content useful? Use the button above to save it to your profile. Companies House was forced to suspend online filings after discovering a major security shortcoming in its systems, which allowed users to edit the confidential data of other businesses. In an update posted at 10.25am on Monday 16 March 2026, Companies House confirmed that webfilings were closed at 1.30pm on Friday 13 March while the issue was investigated and resolved. According to the statement, the service has been independently tested and is back online as of 9am on 16 March. The UK’s official online corporate register contains the details of more than five million companies, all of which were left vulnerable to potential fraud. The issue left logged-in WebFiling users free to change the name, address, email and full date of birth of company directors. They could have also deleted or uploaded false company accounts for any company registered on the site. According to the latest Companies House update, the vulnerability was introduced when its WebFiling systems were updated in October 2025. It is not known whether Companies House will be able to identify which company dashboards were accessed, although it confirmed it was actively looking into this and had so far received no reports of any details that had changed. The issue is the latest in a series of IT failures that have dogged the UK’s One Login digital identity system. Back button opens the dashboard door The flaw did not require sophisticated technology or computer hacking skills to exploit. Users simply logged into Companies House using their own details and accessed their own company’s dashboard. From there, they had the option to “file for another company”, where they could enter the company number for any of the five million companies registered with Companies House. The system then requested an authentication code, which the user didn’t have access to. However, pressing the site’s “back” key several times returned them to the dashboard of the company they were trying to access, not their own, without needing to enter the authentication code. From there, the user could view personal information about the company and its director that is normally hidden from public access. They could also change details such as the company’s registered address or potentially file fraudulent accounts. Explaining the flaw John Hewitt, operations director at register office provider Ghost Mail, first discovered the vulnerability. He contacted Companies House but did not receive a response, so instead got in touch with tax campaigner Dan Neidle to explain the flaw. In a video hosted on Neidle’s Tax Policy Associates website , Hewitt walked Neidle through the bug, demonstrating that he was able to view the private Companies House dashboard of ClarityDW Ltd, a digital communications consultancy owned by Jonathan Phillips (who had given the pair permission to do this). Hewitt then viewed Neidle’s company dashboard and modified his registered address. The change of address generated a confirmation number, which was sent to Hewitt’s email (not the email address registered for the company whose details were changed). In his Tax Policy Associates post, Neidle confirmed he couldn’t immediately see if the change was effective, because it takes around 24 hours for changes to be reflected in the dashboard – and the dashboard has now been shut down. He stated that it seemed likely any edit could be made to a company, including filing accounts, but added this was not tested because of concerns it could be a criminal offence to do so. Using a computer to access data without permission, even without malicious intent, is an offence under the Computer Misuse Act and is punishable by up to two years in prison. Security shutdown and GDPR responsibilities Neidle contacted Companies House about the security flaw, and the organisation responded by shutting down the e-filing system. It was only after this was confirmed that Neidle published his story. In the updated statement from Companies House, chief executive Andy King apologised for the “concern and inconvenience” to the companies and individuals who rely on its services. “Companies House takes its responsibility to protect the data entrusted to us extremely seriously,” said King. “We have taken swift action to secure and restore our service, and are committed to doing everything in our power to support those affected and to making sure that our services continue to merit the trust placed in them.” To comply with the UK’s GDPR data privacy legislation, Companies House has reported itself to the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC). It stated it is also “actively analysing” its data to identify any anomalies, and will be emailing every company’s registered email address to explain how to check their details and what steps to take if they have any concerns. “If we find evidence that anyone has used this issue to access or change another company’s details without authorisation, we will take firm action,” continued the statement. Companies House strongly advised all companies to check their registered details and filing history to make sure everything appears correct. If a company has a concern, it should raise a complaint and include evidence to describe the concern. One Login’s ‘critical flaws’ The security flaw is the latest in a series of IT failures that have dogged the UK’s gov.uk One Login digital identity system. One Login was designed to replace Government Gateway accounts as a single identity check and login system to access all central government services, with the eventual goal of all taxpayers, companies and agents accessing its services through One Login. From 13 October 2025, users had to use One Login to sign in to their Companies House WebFiling account, and were required to verify their identity following a string of bogus company names and directors appearing on the register. However, the system has come under scrutiny following whistleblower allegations that it exposed user data to serious risks due to critical structural flaws. A report from web publication ID Tech stated that shortly after the system’s launch in July 2022, a whistleblower raised concerns that One Login lacked “basic governance and risk management processes”, reportedly flagging more than 500,000 system vulnerabilities, with thousands rated as “critical” or “high” severity. One of the most serious allegations raised was the unauthorised outsourcing of development work to Romania, made without the approval of Government Digital Service (GDS) chief Tom Read or consultation with the NCSC. Following an update from Companies House released 16 March 2026, this article has been amended to clarify that logged-in WebFiling users were able to access the details, not members of the general public. Join our mailing list Enter your email address and get our daily newsletter and breaking news. Enter email address * Enter email address Sign up Tags: Companies House GDPR Security Share this content Save content Leave a comment You might also be interested in Accounting software 2nd Feb 2026 Dext closes the loop with payments feature launch by Tom Herbert Any Answers comment Icon 2 Tech pulse 29th Jan 2026 Should firms seek homegrown tech alternatives? by Tom Herbert Any Answers comment Icon 4 Guide Sponsored Four tax and accounting predictions in 2025 Cloud2Me 23rd Feb 2026 Survived January? Strengthen IT Now Tom Herbert Technology editor AccountingWEB Tom is AccountingWEB's technology editor, providing independent news and analysis from the accounting tech universe. He started with AccountingWEB in the heady days of 2015, where he worked first as business editor and then as the site's editorial lead. After two years as digital editor of ICAEW Insights, he returned to AccountingWEB from... Read more from Tom Herbert Advertisement Replies (41) Please login or register to join the discussion. By DMossEsq 15th Mar 2026 22:36 GOV.UK One Login is relied on by Companies House. And by HMRC for new accounts. And by DWP and the Department for Education. Among others. It is nearly a year since Computer Weekly magazine revealed the Romanian connection. They also revealed that the Government Digital Service (GDS) removed one level of information assurance on the GOV.UK One Login programme. Out of date, they said. Old-fashioned. Since then GDS have repeated that they "follow the highest standards" of cyber security. That is manifestly false. Time now for the ICAEW and other professional bodies to follow AccountingWeb's lead, get involved and advise their members how to proceed securely. Thanks (21) By Rob Swan 16th Mar 2026 06:48 Spectacularly incompetent!! Who's to blame? CoHo, IT contractor/consultancy, ...? Who cares? Government IT has always been a bit of a failure/disaster/ laughing stock/catastrophe/etc. Just one more 'Fail' to throw on the pile. This is 'Beginner Basics' stuff for Web sites and applications. Meanwhile, the 'Government' continues to lecture one and all on.... well, everything. While they themselves cannot even meet the most basic standards. Full Marks to John Hewitt and DN. CoHo: Go and stand outside the Headmaster's office with your face to the wall. Thanks (21) Replying to Rob Swan: By philaccountant 16th Mar 2026 09:29 The obsession with 'modernising' systems that have been functioning perfectly well should be a lesson for those in charge. Be careful what you wish for, because in their attempt to bring all of those disparate logins together, they seem to have created an "all your eggs in one basket" single point of failure for everything. Thanks (16) Replying to philaccountant: By Rob Swan 16th Mar 2026 10:50 It'll be interesting to see what digital ID and MTD bring. - in terms of failure ;-) At best I doubt they'll work well; at worst... well, let's hope that doesn't happen. Only problem there is that 'hope' is not a strategy - even if it's Government strategy! Thanks (5) By johnthegood 16th Mar 2026 09:07 Funnily enough we were just talking this morning about clients seeming automatic trust of Gov One - we have probably had about 200 clients so far ID themselves and only 2 have said they refuse to use Gov One because of security concerns. Thanks (8) Replying to johnthegood: By philaccountant 16th Mar 2026 09:31 Bit of a rock and hard place for the average punter, given it was mandated by law. The only way around it would have been to get an ACSP to do it for you (who will have their own One Login) and that would likely have come at a financial cost. I think people also have data leak fatigue now anyway. We are so used to hearing that company X has lost its entire database to hackers, that I expect many just assume all their data is out their to be had anyway. Thanks (9) Replying to philaccountant: By Rgab1947 16th Mar 2026 10:25 "..that I expect many just assume all their data is out their to be had" I for one assume that. Thanks (8) By fitzroy 16th Mar 2026 09:14 And they want us to give over even more of our data for a Gov digital ID - safe, secure and effective they say. I don't think so. Thanks (16) Replying to fitzroy: By TB93 16th Mar 2026 10:54 You mean when the government tell us something is safe and effective it's not always the case? Sounds familiar... Thanks (8) By Brickbat 16th Mar 2026 09:23 Well, that makes another increase of £80 million of fees worthwhile... It's already possible to file fraudulent accounts at Companies House - for your own company. Don't bother reporting any of the rubbish you see on there - Companies House aren't interested: I have proof, having tried it. It's a failing Government agency, who keep putting their fees up, despite increasing incompetence and poor customer service. Thanks (15) By Tornado 16th Mar 2026 09:28 This time I am rendered Speechless! Thanks (8) Replying to Tornado: By WallyGandy 16th Mar 2026 16:21 Me too. O I've just shown I'm not speechless after all..... Fully agree with all respondents. Typical cheap and nasty Government software. Contract probably awarded to lowest bidder Thanks (2) Replying to WallyGandy: By Rob Swan 17th Mar 2026 10:42 The thing is...... ..from a 'technical' perspective (I'm a programmer), when you Log In whatever you are allowed to do should ALWAYS be limited to the companies you are correctly associated with, not just ANY company. This is clearly NOT the case. The developers here seem to have made the (stupid/foolish) assumption that you will ONLY be allowed to view/access companies you are associated with, and therefore a 'global' permission - technically a lazy fudge - is OK because you should never have access to companies who's details you're not allowed to change. Wooops!!! The 'REAL' (technical) problem here is likely to be complex and expensive to fix. And maybe they should test it properly, too. Thanks (0) By apw13 16th Mar 2026 09:41 I have so many clients that have said to me... "Is this safe ?" I really dont know how I can answer that question any more When we use a third party identification system, how safe is that? more or less than using the companies house system. Just how much data could have been seen/adjusted, is it genuinly just addresses and email addresses - i suspect we'll never know. Do we now check the data for every company that we act for? All the GDPR hoops we have to go through just in the course of an ordinary working day and Companies House fail in its most basic duty. Thanks (10) Replying to apw13: By DMossEsq 16th Mar 2026 10:08 Any lack of confidence in the security of Companies House dampens the UK's economic growth. Thanks (3) Replying to apw13: By Rob Swan 16th Mar 2026 10:43 "Is this safe ?" Now the answer is simple: "No!!" Thanks (3) By [email protected] 16th Mar 2026 09:56 Not surprised; over the weekend I received 2 (!) letters at home in connection with the firm's VAT agency. My home address has no VAT connection; how on earth did they manage that link up? Govt IT... Thanks (7) Replying to [email protected] : By Paul Crowley 16th Mar 2026 11:06 I received a letter from Co House, re a failure to identify the PSC, a former client The correspondence address on Co house website being his address. The Regd office address being changed back in 2017. Could not resist a nosy and, since leaving, the accounts always filed on the last date possible and the CS always at least 2 weeks late. The accounts filed being abridged full accounts, with every line in existence showing with mostly nils. If the first line is 'Called up share capital not paid £0' then it looks rubbish to me. That is the stuff on the public record. Thanks (4) Replying to [email protected] : By Open all hours 17th Mar 2026 11:36 A gentle reminder of the power of ‘Connect’? Thanks (1) Replying to Open all hours: By [email protected] 17th Mar 2026 12:25 No secrets in the age of the internet! Incentive to pay in cash? Thanks (2) By petestar1969 16th Mar 2026 09:59 Hmm, I have June 2025 year end accounts due for filing this month. If my clients get fined for being late, due to this shutdown, will they be able to tell Co Ho to whistle? Thanks (2) By 0118295 16th Mar 2026 10:20 Shocking - the more so because nobody is surprised. Thanks (7) By Mr J Andrews 16th Mar 2026 10:22 It is indeed a worrying chapter in the latest of security flaws within a series of Gov.UK IT failures. It certainly won't be the last and I suspect the ill thought out tinkering over the past decade plus, forced by indoctrinated HMRC tax honchos and passed sell by date, so called tax legends within the profession, will see quite a collection of verses to add to the woes - starting next month. Is there a Plan B if suspension of quarterly MTD filing occurs once the shortcomings are exposed ? Thanks (3) By Rgab1947 16th Mar 2026 10:23 Thanks for telling us how to do it. Surprised CH has not send the general alert yet so we can check if something was changed without our knowledge. Thanks (3) By SteHolt 16th Mar 2026 10:30 We go to work, pay tax and the state spends it on vapourware which doesn't even work. We could have built useable infrastructure instead and made everyone's lives better. But no. We invent rules and build rubbish software. Thanks (5) By petestar1969 16th Mar 2026 10:45 Do Fujitsu have anything to do with CoHo's systems? Thanks (7) Replying to petestar1969: By unclejoe 16th Mar 2026 11:34 I believe that Fujitsu were heavily involved with HMRC software, so I I were a betting man I would put money on "Yes!" Thanks (5) By 0098087 16th Mar 2026 10:52 Filed a company's change of registered office okay this morning. Thanks (2) Replying to 0098087: By Tom Herbert 16th Mar 2026 11:02 Thanks 0098087. Just posted an update from Companies House. Apparently it was back online as of 9am this morning. Thanks (2) By Paul Crowley 16th Mar 2026 10:55 It justifies all the skepticism of those not wanting to ID. They were completely correct. Thanks (9) By well_that_depends 16th Mar 2026 11:28 https://www.gov.uk/government/news/update-on-companies-house-webfiling-s... "Our investigation indicates that this issue was introduced when we updated our WebFiling systems in October 2025." So assuming a vacuuming of data for future trawling by baddies, it seems sensible (and relatively simple) to change your company auth code. Not saying that they would have necessarily been available, but it seems sensible to change the lock just in case someone has a digital photocopy of your front door key. Thanks (4) Replying to well_that_depends: By FactChecker 16th Mar 2026 15:57 The statement from Andy King (Chief Executive Officer, Companies House) included: "We are actively analysing our data to identify any anomalies, and we’ll be emailing every company’s registered email address ..." But that'll be the email address that is NOW on the CoHo register - you know, the one that was the first thing changed by any hacker! The ineptitude is ratcheted up another gear ... Thanks (5) Replying to FactChecker: By Rob Swan 17th Mar 2026 10:48 Evidence suggests that's how the public sector works these days.... If you're 'competent' you make everyone else look/feel incompetent - you're not going to get the (top) job. But if you're a blithering idiot and/or clearly incompetent, you make the rest look great and you're in no danger of highlighting their failings - you start next Monday! Thanks (1) By unclejoe 16th Mar 2026 11:39 Well, perhaps the good that will come of this is that it surely must put a nail in the coffin of compulsory digital ID that the govt want to impose. Well done AW for reporting this; a quick Google search seems to show that the issue has almost no mainstream media coverage. Funny that! Thanks (7) Replying to unclejoe: By 0098087 16th Mar 2026 11:49 I thought that compulsory digital ID had already gone Thanks (2) Replying to 0098087: By SteHolt 16th Mar 2026 15:35 Not really. It is just being sneaked in slower. Thanks (2) By e 16th Mar 2026 12:01 Comedy clubs Thanks (1) By WhiteRose 16th Mar 2026 12:57 Almost as worrying as the security issue is the fact that "John Hewitt ... first discovered the vulnerability. He contacted Companies House but did not receive a response". Thanks (8) Replying to WhiteRose: By 0098087 16th Mar 2026 13:03 Co House are a total joke. We had a company that we could file the confirmation statement for. We need realised the DOB was incorrect, We submitted forms to change it and were told that form was out of date even though it was on the website as they had changed the form. We then told them why the statement was late and they rejected the argument. We have submitted new forms, they are running one month behind on post and emails take around a week to answer Shocking. Thanks (3) By Justin Bryant 16th Mar 2026 15:22 https://www.bbc.co.uk/news/articles/c5y41p0dy1wo Thanks (4) Replying to Justin Bryant: By Southwestbeancounter 16th Mar 2026 16:36 Thanks Justin - at least it has reached the mainstream press now..... Thanks (2)
← Back to stories