What the Companies House Incident Reveals About Cyber Risk
Over the weekend, you may have seen Companies House making headlines - for less than ideal reasons - which is a far cry from the norm for a site that should (in theory) sit quietly in the background of the business world.
At best, most people will interact with it occasionally to look up a company, file accounts, confirm directors or check ownership. It’s routine administrative infrastructure, for all intents and purposes.
Yet behind the scenes, it’s a bigger beast, holding the details of more than five million UK companies, including directors’ names, addresses, filing histories and corporate records, and until this weekend, it was assumed that this was done securely.
Until it wasn’t.
These recent reports of a vulnerability exposing sensitive information have raised serious questions, so we’re going to unpack what’s happened and why it matters.
What Actually Happened
It’s not really an ‘out there’ take to suggest we’re living right on the precipice of an era of misinformation at levels we’ve never seen before. Especially with the rise of AI, social media, and all that other good stuff, which is why initial reports of this issue arising on places such as ‘X’ weren’t immediately cause for concern. And then people really started to dig into it.
In short, investigators - somehow - discovered a flaw in the Companies House WebFiling system that allowed access to information that should not have been publicly visible. In some cases, confidential details such as email addresses, full dates of birth and residential addresses of company directors could be exposed.
They did this by entering a company’s number and then hitting the ‘back’ button several times in their browser until it took them to a site where they could amend Companies House filings.
What’s even more concerning is that the issue didn’t just let you see other people’s sensitive information; it also potentially allowed unauthorised changes to company records simply by manipulating navigation within the web interface. Why should you care? Well, cybercriminals could alter your company information or upload fake documents, and unless you’re checking regularly, you may have had no idea.
In response, Companies House shut down the affected online filing service while it investigates the problem, and the full scope of the incident remains unclear at the time of writing, as more developments and details continue to emerge. But what matters right now is the lesson it highlights.
When Systems Become Critical Infrastructure
Companies House is a government website, sure, but it’s not insignificant. It’s effectively the backbone of corporate identity in the UK.
Banks rely on it.
Investors reference it.
Suppliers check it.
Journalists analyse it.
Some job hunters will look up their prospective employers in depth on there.
The register underpins how organisations verify each other in day-to-day business. And when infrastructure like that fails or is exposed, the consequences extend far beyond a technical glitch, and trust falls into question.
The Reality of Public Registers
One reason the situation is complicated is that, at its core, the Companies House register is designed to be open.
Transparency - to an extent - is a feature that’s built into the site, not a flaw. The UK has long allowed public access to company data, so businesses, journalists, regulators and everyone else I just mentioned, plus more, can monitor corporate activity.
You, as an individual, can freely search the register and view details such as registered addresses, directors, and filing histories.
But anything with such openness comes with a degree of tension, and the more transparent a system becomes, the more important its controls and security architecture become.
A System Already Under Pressure
This incident also comes at a less-than-ideal time, as Companies House has been undergoing significant reform.
Recent legislation - in what CEO Louise Smyth has called “the most significant change for Companies House in our 180-year history” - has given the registrar new powers to tackle fraud and improve the accuracy of company data, including identity verification requirements for directors and people with significant control.
Those reforms were introduced precisely because the register had historically been vulnerable to misuse. Fake directors, fraudulent companies and manipulated filings have all appeared on the system over the years, with made-up entities appearing on there registered to names such as “Adolf Tooth Fairy Hitler”, “Darth Vader” and “Santa Claus”.
So, it’s fair to say that any steps taken to strengthen integrity are probably the right call, and events like this remind us that the technology supporting those reforms matters just as much as the law itself.
The Bigger Cybersecurity Lesson
It’s easy to look at a story like this and think it’s purely a government issue. Or that, if you don’t personally appear on there, why should you even care?
Well, in reality, the lessons from this apply everywhere.
Many organisations rely on platforms that sit outside their direct control. Government portals, cloud platforms, SaaS tools, payment systems, and third-party integrations all form part of the modern digital environment and are interwoven into your network, bypassing your defences and offering a direct line into sensitive information. So if - and when - those systems fail or expose data, the effects ripple outward.
A vulnerability in one place can affect thousands or even millions of users, even down to someone who never interacted with the technology directly - you only have to look at last year’s high-profile incidents for real-world case studies of what can (and does) happen when a breach occurs.
The Risk of Assuming Systems Are Secure
One of the most dangerous assumptions in modern IT is that systems run by large institutions must automatically be secure. Yet, in practice, scale does not eliminate risk - and if anything, the more users there are on a network, the greater the chance of a potential route into an organisation a malicious outsider has.
Plus, the larger platforms hold large amounts of data, which makes them attractive targets and complex systems to maintain, to the point that even small flaws in authentication, access control or web interfaces can have significant consequences.
That’s something that the ongoing Companies House situation illustrates clearly. It doesn’t take a dramatic cyber attack for problems to emerge. Sometimes a vulnerability is simply discovered by someone looking closely enough... Or in this case, spamming a ‘back’ button a bunch of times.
What Businesses Should Take From This
If you’re reading this, thinking, “So... Is the takeaway to panic?” No, it’s just reframing or offering a fresh perspective.
Digital infrastructure underpins nearly every aspect of business operations, and honestly, it has done so for a long time at this point; you didn’t need me to tell you that. Some of this infrastructure sits within your network. Much of it sits outside it.
That means cyber resilience cannot stop at the firewall, and organisations need visibility over:
Which external systems they depend on
What data those systems hold
How access and identity are managed
How quickly issues can be detected and mitigated
Security is no longer just about defending your own systems. It’s as broad as understanding the ecosystem you operate within.
Final Thought
The Companies House register is a cornerstone of the UK business environment, and most of the time, it operates quietly and reliably in the background. That is, until incidents like this bring it briefly into focus and then serve as a reminder of something broader.
The digital systems we rely on every day are often invisible until something goes wrong. But when they do fail, the consequences are felt far beyond the technology itself.
Trust, after all, is infrastructure too.