**Companies House**, a British government agency, took its WebFiling service offline on Friday to address a security vulnerability that had been present since October 2025. The flaw potentially exposed the data of millions of registered companies. ### Discovery of the Vulnerability The vulnerability was reported to **Companies House** by **Dan Neidle**, founder of **Tax Policy Associates**, after **Ghost Mail's** John Hewitt initially discovered the issue but allegedly did not receive a response from the agency. "All that was required was to log in to Companies House using your own details and access your own company's dashboard. Then opt to 'file for another company' and enter the company number for any one of the five million companies registered with Companies House," [said Neidle](https://taxpolicy.org.uk/2026/03/13/companies-house-security-vulnerability-directors-addresses/). "At that point you'd be asked for an authentication code, which of course you don't have. No problem. Press the 'back' key a few times to return to your dashboard. Except – it isn't your dashboard. It's the other company's dashboard." ### Data Exposure According to Neidle, the flaw allowed access to sensitive information, including the home and email addresses of company management, for all five million registered companies. **Companies House** confirmed the vulnerability on Monday, stating that it was introduced during an update to its WebFiling systems in October 2025.  The agency acknowledged that logged-in users could have potentially "change[d] some elements of another company's details without their consent." They also admitted that the vulnerability could have been exploited to steal data and access company records one at a time. ### Impact and Investigation "Our investigation has established that specific data from individual companies not normally published on the Companies House register may have been visible to other logged-in WebFiling users," **Companies House** stated in a [public announcement](https://www.gov.uk/government/news/update-on-companies-house-webfiling-security-issue). This exposed data included dates of birth, residential addresses, and company email addresses. The agency also noted the possibility of unauthorized filings, such as accounts or changes of director, being made on another company's record. **Companies House** clarified that user passwords and identity verification data, such as passport information, were not compromised. Furthermore, existing filed documents could not be altered. The agency has reported the incident to the U.K. **Information Commissioner's Office (ICO)** and the **National Cyber Security Centre (NCSC)**. An investigation is underway to determine if the vulnerability was exploited to access or modify any company's details. "We have no reports at this stage of data having been accessed or changed without permission," **Companies House** stated. "However, our investigation is ongoing. We'll provide further updates as our work progresses and we remain committed to being transparent throughout."