Last updated 3 weeks ago
Companies House, the United Kingdom's government registrar of companies, experienced a website glitch that exposed the personal and corporate information of millions of individuals and entities. The incident was publicly disclosed in March 2026, though the internal discovery timeline remains unspecified. The exposure affected the entire user population interacting with the Companies House registry system, putting sensitive corporate and personal data at risk of fraud.
The breach resulted from a misconfiguration or technical glitch in the Companies House website infrastructure. The vulnerability allowed unauthorized access to corporate records containing personal identifiable information of company directors and shareholders, along with sensitive corporate data including registration details and financial filings. No specific exploitation technique or CVE was cited, and no threat actor attribution was made in the initial disclosure.
No post-incident developments regarding regulatory actions, litigation, containment measures, or remediation milestones were detailed in the initial report. The breach notification status and any specific containment actions taken by Companies House following the disclosure remain unconfirmed.
Website glitch or misconfiguration that exposed personal and corporate information
This incident demonstrates critical failures in configuration management and vulnerability scanning for government web services handling sensitive corporate data. The Companies House breach highlights how even basic web application misconfigurations in government registries can expose millions of records, enabling corporate fraud and identity theft at national scale. The case underscores the need for continuous security validation of public-facing government portals that aggregate sensitive personal and business information.
Sign in to join the discussion.
Company
Industry
Location
Disclosed
Records Affected
Attack Vector