Businesses urged to check company records immediately following discovery of major vulnerability

A security vulnerability in the Companies House web filing system, present since October 2025, allowed logged-in users to access other companies' private dashboards through a simple sequence of actions.

The flaw, discovered on 12 March by John Hewitt at corporate services provider Ghost Mail, enabled access to non-public information, including directors' home addresses, email details and dates of birth.

Testing also suggested it may have allowed unauthorised users to file accounts or modify company information without the legitimate company owner receiving notification.

A poll conducted on the Enterprise Nation community hub found 76% of members were either concerned or very concerned about the news.

Amanda Brooks, founder of Brooks Business & Funding Solutions and an Enterprise Nation member, said:

"This is definitely concerning, particularly for small businesses that rely on the integrity of public records like Companies House."

"For many founders, Companies House is not just a register, it is the primary source that lenders, grant bodies, partners and investors use to verify a company's legitimacy and leadership."

The vulnerability that shocked security experts

Tax expert Dan Neidle, of Tax Policy Associates, who helped verify the exploit after being contacted by Hewitt, was "incredulous" when first shown how the breach worked.

In a video call that has since been widely shared, Hewitt demonstrated how he could access any company's private dashboard simply by logging into his own account, attempting to file for another company, then hitting the back button when prompted for authentication.

The exploit exposed data never intended for public view, including directors' complete dates of birth, residential addresses, and personal email addresses – the information required for identity fraud and social engineering attacks.

More alarmingly, tests suggested the vulnerability allowed unauthorised users to modify company details and file accounts, with confirmation numbers generated but emails sent only to the fraudster, not the legitimate company director.

Amanda warned:

"If personal or company details can be altered, even temporarily, it could potentially create confusion around ownership, directorship or company control."

Companies House has confirmed the vulnerability existed since October 2025, when systems were updated. Research indicates that newly discovered vulnerabilities are typically exploited within 15 days.

Taking action

The web filing system was shut down within hours of Companies House being alerted on Friday, 13 March, remaining offline until Monday, 16 March, while the vulnerability was patched and independently tested.

Companies House chief executive, Andy King, issued an apology and confirmed the breach has been reported to the Information Commissioner's Office and National Cyber Security Centre.

The organisation has stated it believes the issue "could not have been used to extract data in large volumes", but has not confirmed whether it can definitively identify which companies were accessed or whether any fraudulent modifications were made.

The statement said:

"We have no reports at this stage of data having been accessed or changed without permission. However, our investigation is ongoing."

But Amanda pointed out:

"The practical risk isn't just data exposure, but also the possibility of fraudulent filings, changes to director information, or reputational damage if incorrect details appear publicly.

"For businesses seeking funding or partnerships, maintaining accurate and secure company records becomes even more important because due diligence checks often start there.”

What business owners must do now

Companies House has emailed all five million registered companies, urging them to verify their details.

Amanda advised:

"Situations like this are a reminder for founders to regularly monitor their Companies House filings, enable identity verification where possible, and ensure internal records match what is publicly registered."

"It will be interesting to see how Companies House strengthens verification and safeguards following this issue."

Need help?

Enterprise Nation members concerned about their Companies House records can find support and guidance through the member community hub and business advisory services.

Enterprise Nation adviser and Cheltenham-based cyber security expert and founder of P3M Works, Jack Marley, said:

“It is not currently known how long this vulnerability has been exploited, or if it has been exploited at all.”

But he suggested businesses check their information and communicate this issue to customers, and advise they check their accounts to ensure the information is correct.

People also read

• Cyber security in 2026: What your business should be thinking about

• Cyber resilience: A wake-up call from the M&S incident