fraud Archives

A recent Companies House security issue has raised important questions about the reliability of UK corporate data and the growing risk of fraud linked to public registries.

While not a traditional cyber attack, the vulnerability exposed weaknesses in how company information is accessed and managed, highlighting that even official sources can be open to manipulation.

For businesses, legal professionals and insolvency practitioners, the implications extend beyond data exposure. This incident underscores a broader concern: how much trust can be placed in Companies House data without independent verification?

What happened

The issue stemmed from a flaw within the Companies House WebFiling system, introduced during a system update in late 2025. The vulnerability allowed users to access company records that were not their own, in some cases through simple navigation actions.

As a result, sensitive director information, including dates of birth, residential addresses and contact details, may have been exposed.

More significantly, there were concerns that unauthorised filings could have been made, including:

Changes to director details
Amendments to registered office addresses
Submission of company filings

While there is no confirmed evidence of widespread abuse, the fact that the vulnerability existed for months has led to concerns around Companies House data reliability and potential misuse.

Why this matters for businesses

Increased corporate fraud risk

Companies House is widely used as a trusted data source by banks, lenders, counterparties and legal professionals. A weakness in this system creates opportunities for corporate fraud in the UK, particularly where bad actors exploit inaccurate or manipulated records.

This could include:

Impersonating legitimate companies
Opening bank accounts fraudulently
Diverting payments or correspondence

This form of corporate identity fraud is becoming increasingly sophisticated, particularly where verification processes rely heavily on registry data alone.

Director data exposure and targeted attacks

The exposure of personal data significantly increases the risk of:

Identity theft
Phishing and spear-phishing attacks
Social engineering targeting directors and senior individuals

Directors are often key decision makers with access to financial controls, making them high-value targets. The availability of this data through a Companies House vulnerability lowers the barrier for targeted fraud.

Reliability of Companies House data

For legal professionals and insolvency practitioners, this incident raises a critical issue: can Companies House be treated as a single source of truth?

In practice, reliance on unverified registry data can introduce risk into:

Due diligence processes
Corporate investigations
Asset tracing exercises
Litigation and insolvency proceedings

Where company records may be inaccurate or temporarily manipulated, decisions based solely on this data may be flawed.

How could this have been prevented?

The vulnerability appears to have been the result of system design and control failures, rather than a sophisticated external breach. Several preventative measures could have reduced the risk:

Stronger access controls

Proper segregation of user permissions should prevent any possibility of accessing another company’s records without authorisation.

Robust testing and QA processes

The flaw was introduced during a system update and remained undetected, suggesting insufficient penetration testing and user validation.

Layered security approach

Over-reliance on single authentication methods (such as filing codes) creates risk. An in-depth defence approach, combining multiple verification layers, would significantly reduce exposure.

Continuous monitoring and alerts

Effective systems should detect:

Unusual access patterns
Irregular filing activity
Cross-account access attempts

The absence of such controls allowed the issue to persist longer than it should have.

What should companies do now?

In light of this Companies House security issue, businesses should take proactive steps to mitigate risk:

Review company records for any unauthorised changes
Monitor filing history and updates regularly
Restrict internal access to filing credentials
Educate directors on fraud and phishing risks
Conduct enhanced due diligence on counterparties

Taking these steps can reduce exposure to company filing fraud and improve overall resilience.

The role of corporate investigations and due diligence

This incident highlights a key point: public registry data should not be relied upon in isolation.

At ESA Risk, we support clients with:

Independent verification of company information
Identification of discrepancies in filings
Corporate investigations into ownership and control
Due diligence on business partners and counterparties
Fraud risk assessment and ongoing monitoring

Where there is uncertainty around data integrity, independent intelligence provides clarity and reduces risk.

A wider issue for UK corporate transparency

The UK has taken steps to strengthen corporate transparency through legislative reform. However, this incident demonstrates that data availability must be matched by data security.

As Companies House becomes more central to fraud prevention efforts, its reliability and resilience are increasingly critical. For businesses and advisors, this means adopting a more cautious and investigative approach to corporate data.

Key takeaways for businesses and advisors

The Companies House vulnerability is a timely reminder that even official systems are not immune to risk.

For businesses, the threat lies in fraud, impersonation and data misuse. For legal and financial professionals, it highlights the importance of verifying information beyond surface-level records.

In an environment where corporate fraud risk in the UK continues to evolve, relying solely on publicly available data is no longer sufficient.

Independent verification, proactive monitoring and informed investigation are now essential components of effective risk management.

Speak to ESA Risk today

If you have concerns around the accuracy of Companies House data or potential exposure to corporate fraud, ESA Risk can assist. We support businesses, legal professionals and insolvency practitioners with discreet, intelligence-led enquiries to verify company information and identify risk.

Whether you require straightforward verification of company records or more in-depth investigations into ownership, control or suspected manipulation, we will work with you to understand your objectives and tailor our approach accordingly.

Where there is uncertainty around filings or director information, we can also undertake tracing, due diligence and background enquiries to ensure you are relying on accurate, up-to-date intelligence.

Contact our Client Services team at advice@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

Report Fraud, the UK’s national reporting service for cyber crime and fraud, has launched as the central platform for submitting fraud-related reports. The service replaces Action Fraud as the primary reporting route for individuals and organisations across England, Wales and Northern Ireland. It became operational in December 2025, with a full public rollout in January 2026.

Operated by the City of London Police, Report Fraud aims to offer a clear, modern and streamlined reporting experience for victims of phishing, ransomware, business email compromise, CEO fraud and other online scams.

What the new service provides

Report Fraud introduces updates to the way fraud and cyber crime reports are submitted and managed:

Structured reporting – A guided process supports users in submitting relevant information in a consistent format.
Guidance and information – Reporters are provided with information on what types of fraud and cyber crime can be reported, along with details on what happens after submission.
Victim support information – Reporters receive guidance and signposting to support services where applicable.
National crime analysis – Submitted reports are incorporated into a centralised analysis function used to identify trends, patterns and repeat activity at a national level.

How reports are processed and used

Reports submitted through Report Fraud are reviewed and handled as part of the national fraud reporting framework:

Intelligence assessment – Reports are assessed to identify links, patterns or indicators associated with organised or harmful criminal activity.
Dissemination – Where reports meet established criteria or are linked to other cases, they may be shared with the relevant police force for further consideration.
Reporter updates – In cases where police action follows, reporters may receive updates or a point of contact in accordance with the Victims’ Code of Practice.
Ongoing intelligence use – Reports that do not result in immediate investigation are retained for intelligence purposes, supporting monitoring activity, disruption measures, or future investigations.

National reporting for fraud and cyber crime

Cyber crime and fraud are among the most prevalent and economically damaging crimes in the UK, costing individuals and organisations billions each year. Report Fraud intends to provide a single national gateway for reporting and intelligence that strengthens collaboration between the public, businesses, law enforcement and other agencies.

Further information, including how to submit a report, is available at reportfraud.police.uk.

Fraud investigations by ESA Risk

If you suspect that a fraud has occurred within your business and need advice or support on the next steps, we’re here to help.

Additionally, we can help you to prevent fraud from occurring through manager and employee training and resource provision.

For further details, contact our Client Services team, at advice@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

Tag: fraud

Companies House security issue: What it means for UK businesses

What happened