Executive Summary
In March 2026, the UK's Companies House disclosed a significant security vulnerability in its WebFiling service, which had been present since October 2025. This flaw allowed authenticated users to access and potentially modify sensitive information of any registered company by exploiting a back-navigation loophole. The exposed data included directors' residential addresses, email addresses, and dates of birth. The agency has since rectified the issue, notified affected parties, and reported the incident to the Information Commissioner's Office (ICO) and the National Cyber Security Centre (NCSC). This incident underscores the critical importance of rigorous security testing and prompt response to vulnerabilities in public sector digital services. The exposure of personal data over an extended period raises concerns about potential misuse and the necessity for enhanced monitoring and compliance measures to protect sensitive information.
Why This Matters Now
The prolonged exposure of sensitive business data due to this vulnerability highlights the urgent need for continuous security assessments and robust access controls in government digital services. Organizations must prioritize the protection of personal information to maintain public trust and comply with data protection regulations.
Attack Path Analysis
An attacker exploited a flaw in the Companies House WebFiling service, allowing unauthorized access to other companies' dashboards. This access enabled viewing and potentially altering sensitive company information. The attacker could then move laterally within the system to access additional data. Establishing command and control, the attacker maintained persistent access to compromised accounts. Sensitive data, including personal addresses and emails, was exfiltrated. The impact included unauthorized changes to company records and potential exposure of sensitive information.
Kill Chain Progression
Initial Compromise
Description
Exploited a flaw in the WebFiling service to access other companies' dashboards.
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Web Portal Capture
Cloud Service Dashboard
Forge Web Credentials
Valid Accounts
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 2.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Direct impact as UK Companies House web application vulnerability exposed five million company records, requiring enhanced egress security and zero trust segmentation for government digital services.
Legal Services
Corporate legal firms face compliance risks as exposed company director addresses and filing capabilities create data breach liabilities under HIPAA and PCI standards referenced.
Financial Services
Banking institutions vulnerable to similar web application flaws exposing customer business data, necessitating multicloud visibility controls and encrypted traffic protection for regulatory compliance.
Accounting
Accounting firms managing company filings at risk of unauthorized access to client financial data through web application vulnerabilities, requiring threat detection and policy enforcement.
Sources
- UK’s Companies House confirms security flaw exposed business datahttps://www.bleepingcomputer.com/news/security/uks-companies-house-confirms-security-flaw-exposed-business-data/Verified
- Update on Companies House WebFiling security issuehttps://www.gov.uk/government/news/update-on-companies-house-webfiling-security-issueVerified
- Companies House WebFiling Shifts to GOV.UK One Loginhttps://www.miragenews.com/companies-house-webfiling-shifts-to-govuk-one-1522177/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to exploit vulnerabilities, move laterally, and exfiltrate sensitive data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit the WebFiling service vulnerability would likely be constrained, reducing unauthorized access to company dashboards.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges and access sensitive information would likely be constrained, reducing unauthorized modifications.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally within the system would likely be constrained, reducing unauthorized access to additional records.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to maintain persistent access would likely be constrained, reducing the duration of unauthorized control.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data would likely be constrained, reducing unauthorized data exposure.
The attacker's ability to alter company records and expose sensitive information would likely be constrained, reducing the overall impact of the breach.
Impact at a Glance
Affected Business Functions
- Company Registration
- Filing of Annual Returns
- Director Appointments
- Registered Office Changes
Estimated downtime: 3 days
Estimated loss: N/A
Personal identifiable information (PII) of company directors, including dates of birth, residential addresses, and company email addresses.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict access between services and prevent unauthorized lateral movement.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to unusual access patterns promptly.
- • Enforce Egress Security & Policy Enforcement to monitor and control data exfiltration attempts.
- • Utilize Multicloud Visibility & Control to gain comprehensive insights into system activities and detect anomalies.
- • Regularly update and patch web applications to mitigate vulnerabilities and reduce the attack surface.
