Cybersecurity experts have called for an overhaul of public sector security processes after a Companies House flaw left thousands of businesses at risk of exposure.
Graeme Stewart, head of public sector at Check Point Software, described the incident as “the latest in a series of public sector data disasters” that threaten organizations across the country.
Stewart’s comments come after British-based businesses were told to check their details after a flawed update caused a breach on the Companies House website. Companies House is the UK's register of incorporated businesses, holding data on directors and other company officials.
First spotted last week but possibly in play since last year, the breach meant anyone logged in to use the WebFiling system on Companies House could access and even change the details of any other company.
In a statement, Andy King, the chief executive of Companies House, stressed that the data was only accessible to logged in users, not the wider public, and details could only be altered after "performing a specific set of actions".
King apologized for the issue, noting that the incident will have “caused concern and inconvenience” to companies and business leaders that use the service.
While the impact of this breach remains unclear as yet, Stewart suggested the flaw could threaten the privacy, security and even personal safety of company directors.
"A bug of this scale is a gift to cyber criminals seeking to upload false documentation, impersonate CEOs and facilitate data theft," Stewart said.
"It's time for a complete overhaul of core systems, with security armor embedded by design rather than as an afterthought."
Companies House incident: What data is at risk?
Private data could have been accessed, the organization admitted, including dates of birth, addresses, and company email addresses.
"Our investigation has established that specific data from individual companies not normally published on the Companies House register may have been visible to other logged-in WebFiling users," King said. "This includes dates of birth, residential addresses and company email addresses."
Passwords were not compromised, King said, and identity data such as passports were not accessed. Companies House doesn't believe that data could have been extracted in large volumes, but instead the bug permitted individual company records to be viewed one by one.
"It may also have been possible for unauthorized filings — such as accounts or changes of director — to have been made on another company’s record," King said, adding: "No existing filed documents, such as accounts or confirmation statements could have been altered."
So far, there's no reports of data being accessed in this way, but the organization is actively seeking out any issues.
How has Companies House responded?
The flaw was likely introduced during an update to WebFiling back in October. Once the bug was spotted last Friday, Companies House was taken offline over the weekend, but service returned yesterday (16 March).
Dray Agha, senior manager of security operations at Huntress, echoed Stewart’s comments, suggesting that the incident highlights the need for a reassessment of public sector and government security.
"This incident underscores the urgent need for government agencies to enforce rigorous application security testing, robust QA processes, and strict access controls before web updates go live," Agha said.
Companies House has reported the issue to the Information Commissioner's Office (ICO) and the National Cyber Security Centre (NCSC).
"If we find evidence that anyone has used this issue to access or change another company’s details without authorisation, we will take firm action," King said.
While King said the organization was "actively analysing” data to identify any anomalies," William Wright, CEO of Closed Door Security, noted the systems required to spot problems going forward would have likely spotted the bug too.
"What’s also concerning is that it’s unclear if there was a logging or auditing system in place to check what accounts were being read and modified, and when," Wright said. "If such a system was in place, the question then becomes why this flaw wasn’t noticed sooner."
Companies House added it will be emailing every registered company with advice on how to check their details. Companies should ensure any emails come directly from Companies House and go directly to the website to log in rather than trust email links, as spammers often take advantage of such incidents.
"Companies House takes its responsibility to protect the data entrusted to us extremely seriously," King commented. "We have taken swift action to secure and restore our service, and are committed to doing everything in our power to support those affected and to making sure that our services continue to merit the trust placed in them."
What should companies do?
The first step is to log into Companies House and ensure all data is correct and there are no issues with their filing history. If anything concerning is spotted, companies have been advised to gather evidence and raise a complaint here.
They should also keep an eye out for any further updates from Companies House.
Beyond that, keep a close eye out for fraud using the potentially breached data, said Agha, and ensure employees including executives are aware of the threat.
"From a security perspective, cybercriminals have been handed a ready-made toolkit for identity theft," Agha said.
"Because company directors often have high-level access to corporate funds and data, this specific information can be weaponised for highly targeted spear-phishing and executive impersonation (CEO fraud),” he added.
“It puts both the personal lives of business leaders and the broader security of their corporate networks at immediate risk."
The incident raises trust issues – particularly problematic as businesses can't avoid using Companies House, Wright said.
"If the government and Companies House's current security testing processes were fit for purpose, flaws like this should not have occurred," Wright said.
"Given that many companies (such as Ltd.’s and PLCs) are required by law to use these services, basic testing and data protection are absolutely critical, especially if the government wants to retain its credibility with the business community."
FOLLOW US ON SOCIAL MEDIA
Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
Is Dell PowerScale the right choice for your AI on-premises needs?
SMB cybersecurity in 2026: From reactive defense to strategic partnership
A single compromised account gave hackers access to 1.2 million French banking records
Security experts warn Substack users to brace for phishing attacks after breach
Everything we know so far about the Nike data breach
LastPass hit with ICO fine after 2022 data breach exposed 1.6 million users – here’s how the incident unfolded
OpenAI hailed for ‘swift move’ in terminating Mixpanel ties after data breach hits developers
Teens arrested over nursery chain Kido hack
Red Hat reveals unauthorized access to a GitLab instance where internal data was copied
Google warns executives are being targeted for extortion with leaked Oracle data
