Full Report
Companies House, a British government agency that operates the registry for all U.K. companies, says its WebFiling service is back online after it was closed on Friday to fix a security flaw that exposed companies' information since October 2025. [...]
Analysis Summary
# Incident Report: Companies House WebFiling Information Disclosure
## Executive Summary
A critical authorization bypass vulnerability in the Companies House WebFiling service exposed sensitive, non-public data for approximately five million UK-registered companies over a five-month period. The flaw allowed logged-in users to access other companies' private dashboards and potentially perform unauthorized filings by exploiting a session handling error via browser navigation. The agency disabled the service to apply a fix and is currently investigating potential exploitation.
## Incident Details
- **Discovery Date:** March 13, 2026 (Friday)
- **Incident Date:** October 2025 – March 16, 2026
- **Affected Organization:** Companies House (UK Government)
- **Sector:** Government / Corporate Registry
- **Geography:** United Kingdom
## Timeline of Events
### Initial Access
- **Date/Time:** October 2025
- **Vector:** System Update
- **Details:** A security flaw was introduced during a routine update to the WebFiling systems, creating a logic error in session management.
### Lateral Movement
- **Mechanism:** Broken Access Control / Session Hijacking
- **Details:** Logged-in users could navigate to another company's filing page using a target company number. By hitting the browser "back" button after an authentication prompt, the system incorrectly mapped the session to the target company's dashboard rather than the user's own.
### Data Exfiltration/Impact
- **Scope:** Potential exposure of non-public data for 5 million companies.
- **Data Types:** Home (residential) addresses of directors, dates of birth, and company email addresses.
- **Unauthorized Actions:** Potential for unauthorized filings (e.g., fraudulent accounts or director changes).
### Detection & Response
- **Detection:** Discovered by John Hewitt (Ghost Mail) and reported via Dan Neidle (Tax Policy Associates).
- **Initial Response:** Companies House took the WebFiling service offline on Friday, March 13, 2026, to remediate the flaw.
- **Recovery:** Service restored on Monday, March 16, 2026, following the deployment of a patch.
## Attack Methodology
- **Initial Access:** Valid user credentials (legitimate login to WebFiling).
- **Persistence:** N/A (Session-based).
- **Privilege Escalation:** Authorization Bypass via "Back Button" logic error.
- **Defense Evasion:** Actions appeared as legitimate logged-in traffic.
- **Credential Access:** None (Passwords were not compromised).
- **Discovery:** Resource ID enumeration (using known company numbers to access specific records).
- **Lateral Movement:** Inter-account movement within the WebFiling application.
- **Collection:** Manual data harvesting (one entry at a time).
- **Exfiltration:** Display of non-public "protected" data fields on the dashboard.
- **Impact:** Potential integrity loss (unauthorized filings) and confidentiality loss (PII exposure).
## Impact Assessment
- **Financial:** TBD; costs associated with forensic investigation and potential ICO fines.
- **Data Breach:** Exposure of PII (Dates of birth and residential addresses) for company directors.
- **Operational:** Service downtime for the WebFiling portal from Friday to Monday.
- **Reputational:** Significant public scrutiny regarding the security of the national corporate register and the 5-month exposure window.
## Indicators of Compromise
- **Network indicators:** N/A (Web application logic flaw).
- **File indicators:** N/A.
- **Behavioral indicators:** Unusual patterns of a single user account accessing multiple company dashboards; frequent use of the "back" navigation in conjunction with the `/filing-for-another-company` endpoint.
## Response Actions
- **Containment:** WebFiling service immediately shut down upon confirmation of the report.
- **Eradication:** Logic flaw patched and verified by internal engineers.
- **Recovery:** Service restored; notification sent to the ICO and NCSC.
- **Ongoing:** Forensic audit of web logs to determine if the flaw was exploited by malicious actors prior to discovery.
## Lessons Learned
- **Regression Testing:** The vulnerability was introduced during a system update. Enhanced regression testing, specifically targeting authorization boundaries, is required.
- **User Feedback Loops:** The initial discoverer struggled to get a response from the agency, necessitating a third-party advocate (Tax Policy Associates) to escalate the issue.
- **State Management:** Web applications must strictly validate session ownership on every server-side request, regardless of client-side navigation (back/forward buttons).
## Recommendations
- **Implement Robust CI/CD Security:** Include automated DAST (Dynamic Application Security Testing) to catch broken access control during the deployment of system updates.
- **Vulnerability Disclosure Program (VDP):** Establish a clear, responsive channel for ethical hackers to report vulnerabilities directly to Companies House.
- **Audit Logging:** Enhance logging to alert on "Horizontal Privilege Escalation" patterns, such as a single session identifier accessing more than a standard number of distinct company IDs within a set timeframe.