Gov.Uk Suffers Data Leak

Key Facts: Gov.uk Data Breach

• Date reported: March 16, 2026.
• Unauthorized access identified: October 2025 (vulnerability active since this date).
• Target entity: GOV.UK (Companies House).
• Source of breach: Security flaw in the WebFiling service.
• Data types: Management home and email addresses, dates of birth, and residential addresses.
• Severity: Medium; while no passwords were compromised, sensitive personal identifiers for five million company records were accessible.

Start continuous breach monitoring with UpGuard.

What happened in the Gov.uk data breach?

Gov.uk (gov.uk) confirmed a data leak involving its Companies House registry, reported on March 16, 2026. The incident stemmed from a security flaw in the agency's WebFiling service, which had been active since October 2025. The vulnerability was initially reported by Dan Neidle, and no specific threat actor has been identified in relation to the discovery of this security flaw.

The security flaw allowed logged-in users to access dashboards belonging to other companies. This vulnerability potentially exposed the personal information of management personnel across five million registered companies, including home and email addresses, dates of birth, and residential addresses. The severity is categorized as medium because sensitive personal identifiers were accessible, though Companies House stated that no passwords were compromised and no unauthorized changes were made to company records. Such leaks typically increase the risk of targeted social engineering and identity theft.

Who is behind the incident?

The attacker or cause of the incident has not been identified.

Impact and risks for Gov.uk customers

For the management personnel of the five million companies involved, the exposure of residential addresses and dates of birth presents a risk of identity theft and targeted social engineering. Malicious actors could potentially use this information to impersonate individuals or gain access to other services that use these details for verification. There is also a plausible risk of phishing attacks targeting the exposed email addresses.

Typical outcomes of such leaks include increased fraudulent activity and a loss of trust in digital government services. Affected users should monitor their financial statements, enable multi-factor authentication on all accounts, and use identity monitoring services. Maintaining transparency about the incident and the steps taken to remediate the flaw helps in restoring public confidence.

How to protect against similar security incidents

Following the leak at Companies House involving management data, affected individuals and organizations should take immediate steps to secure their personal and corporate identities.

1. Implement phishing-resistant MFA
2. Ensure all corporate and personal email accounts use multi-factor authentication, preferably using hardware keys or authenticator apps rather than SMS. This prevents unauthorized access even if email addresses were exposed.
3. Monitor credit and identity
4. Since dates of birth and residential addresses were involved, affected individuals should enroll in identity theft protection services.
5. Regularly review credit reports for any unusual activity or unauthorized accounts.
6. Enhance social engineering awareness‍
7. Conduct training for company leadership on spotting sophisticated phishing attempts that may use the leaked personal details to build trust.
8. Verify all sensitive requests through secondary communication channels.
9. Deploy attack surface management‍
10. Utilize continuous monitoring tools to identify vulnerabilities in web-facing services and APIs before they can be exploited.
11. Regularly audit access controls and user permissions within government and corporate portals.

Proactive monitoring and robust authentication are essential to defending against the misuse of leaked administrative data.

Frequently asked questions

What happened in the Gov.uk security breach?

On March 16, 2026, gov.uk (gov.uk) disclosed a security breach. According to initial reports, a security flaw in the Companies House WebFiling service exposed sensitive management information, including home addresses and dates of birth, for five million registered companies.

When did the Gov.uk breach occur?

The gov.uk breach was publicly reported on March 16, 2026. The vulnerability is believed to have existed since October 2025, though the exact date it was first identified has not been disclosed.

What data was exposed?

The security flaw potentially exposed the personal information of management personnel across five million companies, including home and email addresses, dates of birth, and residential addresses.

Is my personal information at risk?

If you interacted with gov.uk or are listed as management for a UK company, there's a possibility your personal information could be affected. Similar incidents often involve email addresses, login details, or financial records. Stay alert for updates and take precautionary measures to secure your accounts.

How can I protect myself after a data breach?

• Change passwords for registered accounts
• Enable multi-factor authentication (MFA)
• Monitor credit reports and financial accounts
• Be wary of phishing emails or calls
• Use breach monitoring tools to track data exposure

What steps should companies take after being breached?

Companies House has restored the service, notified the ICO and NCSC, and is conducting an investigation. Organizations should secure systems, notify affected parties, provide guidance on protective actions, review security measures, and deploy attack surface management.