Companies House Security Flaw Exposes Private Data of UK Business Directors
A critical vulnerability in the UK’s Companies House WebFiling system exposed sensitive details of directors at millions of registered businesses, including AstraZeneca, Shell, and Tesco. The flaw, discovered last Friday, forced the agency to temporarily shut down its online filing service before restoring it on Monday morning.
The bug allowed logged-in users to access confidential data such as dates of birth and residential addresses of key personnel from the 5 million companies on the register. More alarmingly, it permitted unauthorized changes to directors’ contact details, including addresses and emails, without consent. Security researcher John Hewitt of Ghost Mail identified the issue, which could be triggered by pressing the back button four times while viewing a company’s profile.
An internal investigation traced the vulnerability to a system update implemented in October 2023. Companies House CEO Andy King confirmed that no evidence of unauthorized data access or alterations has been found, though the review remains ongoing. The agency has urged businesses to verify their registered details for accuracy.
The incident is now under scrutiny by the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC). Companies House has advised affected businesses to file complaints if they suspect any misuse of their data.
Source: https://www.aol.com/articles/millions-uk-businesses-exposed-companies-154950345.html
AstraZeneca cybersecurity rating report: https://www.rankiteo.com/company/astrazeneca
Tesco cybersecurity rating report: https://www.rankiteo.com/company/-tesco
Shell cybersecurity rating report: https://www.rankiteo.com/company/shell
"id": "AST-TESHE1773679185",
"linkid": "astrazeneca, -tesco, shell",
"type": "Vulnerability",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '5 million registered companies',
'industry': 'Government/Regulatory',
'location': 'United Kingdom',
'name': 'Companies House',
'size': 'Large',
'type': 'Government Agency'},
{'industry': 'Pharmaceutical',
'location': 'United Kingdom',
'name': 'AstraZeneca',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Energy',
'location': 'United Kingdom',
'name': 'Shell',
'size': 'Large',
'type': 'Corporation'},
{'industry': 'Retail',
'location': 'United Kingdom',
'name': 'Tesco',
'size': 'Large',
'type': 'Corporation'}],
'attack_vector': 'Web Application Vulnerability',
'data_breach': {'personally_identifiable_information': 'Dates of birth, '
'residential '
'addresses, emails, '
'physical addresses',
'sensitivity_of_data': 'High (dates of birth, residential '
'addresses, contact details)',
'type_of_data_compromised': 'Personally Identifiable '
'Information (PII)'},
'date_detected': '2024-06-07',
'date_resolved': '2024-06-10',
'description': 'A critical vulnerability in the UK’s Companies House '
'WebFiling system exposed sensitive details of directors at '
'millions of registered businesses, including AstraZeneca, '
'Shell, and Tesco. The flaw allowed logged-in users to access '
'confidential data such as dates of birth and residential '
'addresses, and permitted unauthorized changes to directors’ '
'contact details without consent.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'Companies House and affected '
'businesses',
'data_compromised': 'Dates of birth, residential addresses, '
'contact details (emails, addresses)',
'downtime': 'Temporary shutdown (Friday to Monday morning)',
'identity_theft_risk': 'High (exposure of personally identifiable '
'information)',
'operational_impact': 'Service disruption, manual verification of '
'registered details required',
'systems_affected': 'Companies House WebFiling system'},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'root_causes': 'System update flaw implemented in '
'October 2023'},
'recommendations': 'Businesses urged to verify registered details; enhanced '
'security reviews for system updates',
'references': [{'source': 'Ghost Mail (Security Researcher John Hewitt)'},
{'source': 'Companies House'}],
'regulatory_compliance': {'regulations_violated': 'Potential GDPR violations',
'regulatory_notifications': 'Information '
'Commissioner’s Office '
'(ICO), National Cyber '
'Security Centre '
'(NCSC)'},
'response': {'communication_strategy': 'Advisory to businesses to verify '
'registered details',
'containment_measures': 'Temporary shutdown of WebFiling system',
'recovery_measures': 'Service restored on Monday morning',
'remediation_measures': 'System review and restoration'},
'stakeholder_advisories': 'Businesses advised to verify registered details '
'and file complaints if misuse is suspected',
'title': 'Companies House Security Flaw Exposes Private Data of UK Business '
'Directors',
'type': 'Data Exposure',
'vulnerability_exploited': 'System update flaw (October 2023)'}