Companies House Security Flaw Exposes Private Data of UK Business Directors A critical vulnerability in the UK’s Companies House WebFiling system exposed sensitive details of directors at millions of registered businesses, including AstraZeneca, Shell, and Tesco. The flaw, discovered last Friday, forced the agency to temporarily shut down its online filing service before restoring it on Monday morning. The bug allowed logged-in users to access confidential data such as dates of birth and residential addresses of key personnel from the 5 million companies on the register. More alarmingly, it permitted unauthorized changes to directors’ contact details, including addresses and emails, without consent. Security researcher John Hewitt of Ghost Mail identified the issue, which could be triggered by pressing the back button four times while viewing a company’s profile. An internal investigation traced the vulnerability to a system update implemented in October 2023. Companies House CEO Andy King confirmed that no evidence of unauthorized data access or alterations has been found, though the review remains ongoing. The agency has urged businesses to verify their registered details for accuracy. The incident is now under scrutiny by the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC). Companies House has advised affected businesses to file complaints if they suspect any misuse of their data.