Companies House Suspends WebFiling After Critical Data Vulnerability Exposed
Key Takeaways
- The UK’s Companies House has taken its WebFiling service offline following the discovery of a critical security flaw that allowed users to view and edit sensitive personal data of company directors.
- The vulnerability, which could be exploited simply by using a browser's back button, has raised significant concerns regarding corporate identity theft and the integrity of the UK's business register.
Mentioned
Key Intelligence
Key Facts
- 1WebFiling service suspended on March 13, 2026, following discovery of a critical data vulnerability.
- 2The flaw allowed unauthorized access to sensitive data including directors' home addresses and dates of birth.
- 3Exploitation required no hacking tools, relying instead on a simple browser 'back key' navigation error.
- 4Whistleblower Dan Neidle of Tax Policy Associates alerted the agency to the security gap.
- 5Companies House has waived late filing penalties for users who can provide evidence of service unavailability.
Who's Affected
Analysis
The suspension of the UK’s Companies House WebFiling service marks a significant failure in the digital infrastructure underpinning the British economy. On March 13, 2026, the registrar was forced to take its primary online filing portal offline after a critical security vulnerability was brought to light. The flaw was not the result of a sophisticated cyberattack but rather a fundamental failure in session handling and data authorization. Specifically, users reported that by simply using the "back" button on their web browser, they could gain unauthorized access to the dashboards of other companies. This allowed for the viewing and, more alarmingly, the editing of sensitive corporate and personal data.
The implications of this breach extend far beyond a mere technical glitch. For a registrar that holds the records of millions of businesses, including global giants like AstraZeneca, Shell, and Tesco, the integrity of its data is paramount. The vulnerability exposed directors’ home addresses, dates of birth, and email addresses—the exact data points used by financial institutions for Know Your Customer (KYC) and Anti-Money Laundering (AML) checks. Dan Neidle, the founder of Tax Policy Associates who alerted the agency to the flaw, described the situation as "absolutely insane." He noted that the ease of access meant that no specialized hacking skills were required to potentially hijack a company’s identity. By changing a registered office address or filing fraudulent accounts, bad actors could effectively seize control of a business’s legal persona, intercepting sensitive correspondence or damaging its credit rating.
For a registrar that holds the records of millions of businesses, including global giants like AstraZeneca, Shell, and Tesco, the integrity of its data is paramount.
This incident occurs at a particularly sensitive time for Companies House. Under the Economic Crime and Corporate Transparency Act 2023, the agency has been transitioning from a passive recipient of information to an active regulator with enhanced powers to verify the identity of directors and challenge suspicious filings. This breach undermines the agency's new mandate. If the "source of truth" for UK corporate data cannot secure its own interface against basic navigational errors, the legal and RegTech sectors may question the reliability of the broader digital transformation efforts currently underway. For legal professionals and RegTech providers who rely on Companies House APIs for due diligence and automated filings, this service interruption creates an immediate operational vacuum.
What to Watch
Furthermore, the potential duration of the vulnerability remains a critical unknown. While Companies House acted quickly once notified, the window of exposure is the primary metric for assessing risk. As Neidle pointed out, if the flaw existed for weeks or months, the likelihood of systematic exploitation increases exponentially. Security industry standards suggest that vulnerabilities are often discovered and exploited by malicious actors within 15 days of going live. If this "back key" exploit was present during a period of high filing activity, the volume of compromised data could be staggering.
For the legal community, the immediate concern is the impact on statutory filing deadlines. Companies House has issued guidance stating that those who miss deadlines due to the outage will not be penalized, provided they can produce evidence such as screenshots of error messages. However, this manual workaround is a regression for an industry that has moved toward seamless, automated compliance. Moving forward, the registrar will likely face intense scrutiny regarding its software development lifecycle (SDLC) and why such a rudimentary flaw was not caught during penetration testing. This event serves as a stark reminder that as RegTech becomes more centralized and digital, the "single point of failure" risk grows, necessitating more robust defensive architectures and transparent incident reporting.
Timeline
Timeline
Vulnerability Reported
Dan Neidle of Tax Policy Associates alerts Companies House to the 'back key' security flaw.
Service Suspension
Companies House takes the WebFiling service offline on Friday evening to investigate the issue.
Guidance Issued
Official guidance released advising users on how to handle missed filing deadlines due to the outage.
Sources
Sources
Based on 2 source articles- Sam Hall (gb)Companies House suspends filing service after glitch puts personal data at riskMar 13, 2026
- Sam Hall (gb)Companies House suspends filing service after glitch puts personal data at riskMar 13, 2026