17
A recent vulnerability within Companies House has raised serious concerns around data integrity and corporate fraud risk.
A recent Companies House security issue has raised important questions about the reliability of UK corporate data and the growing risk of fraud linked to public registries.
While not a traditional cyber attack, the vulnerability exposed weaknesses in how company information is accessed and managed, highlighting that even official sources can be open to manipulation.
For businesses, legal professionals and insolvency practitioners, the implications extend beyond data exposure. This incident underscores a broader concern: how much trust can be placed in Companies House data without independent verification?
The issue stemmed from a flaw within the Companies House WebFiling system, introduced during a system update in late 2025. The vulnerability allowed users to access company records that were not their own, in some cases through simple navigation actions.
As a result, sensitive director information, including dates of birth, residential addresses and contact details, may have been exposed.
More significantly, there were concerns that unauthorised filings could have been made, including:
While there is no confirmed evidence of widespread abuse, the fact that the vulnerability existed for months has led to concerns around Companies House data reliability and potential misuse.
Companies House is widely used as a trusted data source by banks, lenders, counterparties and legal professionals. A weakness in this system creates opportunities for corporate fraud in the UK, particularly where bad actors exploit inaccurate or manipulated records.
This could include:
This form of corporate identity fraud is becoming increasingly sophisticated, particularly where verification processes rely heavily on registry data alone.
The exposure of personal data significantly increases the risk of:
Directors are often key decision makers with access to financial controls, making them high-value targets. The availability of this data through a Companies House vulnerability lowers the barrier for targeted fraud.
For legal professionals and insolvency practitioners, this incident raises a critical issue: can Companies House be treated as a single source of truth?
In practice, reliance on unverified registry data can introduce risk into:
Where company records may be inaccurate or temporarily manipulated, decisions based solely on this data may be flawed.
The vulnerability appears to have been the result of system design and control failures, rather than a sophisticated external breach. Several preventative measures could have reduced the risk:
Proper segregation of user permissions should prevent any possibility of accessing another company’s records without authorisation.
The flaw was introduced during a system update and remained undetected, suggesting insufficient penetration testing and user validation.
Over-reliance on single authentication methods (such as filing codes) creates risk. An in-depth defence approach, combining multiple verification layers, would significantly reduce exposure.
Effective systems should detect:
The absence of such controls allowed the issue to persist longer than it should have.
In light of this Companies House security issue, businesses should take proactive steps to mitigate risk:
Taking these steps can reduce exposure to company filing fraud and improve overall resilience.
This incident highlights a key point: public registry data should not be relied upon in isolation.
At ESA Risk, we support clients with:
Where there is uncertainty around data integrity, independent intelligence provides clarity and reduces risk.
The UK has taken steps to strengthen corporate transparency through legislative reform. However, this incident demonstrates that data availability must be matched by data security.
As Companies House becomes more central to fraud prevention efforts, its reliability and resilience are increasingly critical. For businesses and advisors, this means adopting a more cautious and investigative approach to corporate data.
The Companies House vulnerability is a timely reminder that even official systems are not immune to risk.
For businesses, the threat lies in fraud, impersonation and data misuse. For legal and financial professionals, it highlights the importance of verifying information beyond surface-level records.
In an environment where corporate fraud risk in the UK continues to evolve, relying solely on publicly available data is no longer sufficient.
Independent verification, proactive monitoring and informed investigation are now essential components of effective risk management.
If you have concerns around the accuracy of Companies House data or potential exposure to corporate fraud, ESA Risk can assist. We support businesses, legal professionals and insolvency practitioners with discreet, intelligence-led enquiries to verify company information and identify risk.
Whether you require straightforward verification of company records or more in-depth investigations into ownership, control or suspected manipulation, we will work with you to understand your objectives and tailor our approach accordingly.
Where there is uncertainty around filings or director information, we can also undertake tracing, due diligence and background enquiries to ensure you are relying on accurate, up-to-date intelligence.
Contact our Client Services team at advice@esarisk.com, on +44 (0)343 515 8686 or via our contact form.
Get the advice you need
Do you have concerns around the accuracy of Companies House data or potential exposure to corporate fraud?
Lawyers, accountants, advisors, investors, senior
management. You name them, we help them find the answers
they need. Ready to discover how we can help you?
