Companies House Data Leak

Key facts: GOV.UK data breach

• Date reported: March 16, 2026.
• Unauthorized access identified: October 2025 (vulnerability existence reported).
• Target entity: Companies House (via GOV.UK).
• Source of breach: Security flaw in WebFiling service (reported by researcher Dan Neidle).
• Data types: Email addresses, home addresses, residential addresses, and dates of birth of company management personnel.
• Status: Confirmed; service restored and incident reported to the ICO and NCSC.
• Severity: Medium; sensitive personal data was exposed to other logged-in users, though passwords and company records remained intact.

What happened in the GOV.UK data breach?

GOV.UK (gov.uk) reported a security incident involving Companies House on March 16, 2026. The incident was caused by a security flaw in its WebFiling service that exposed the personal information of five million registered companies. No threat actor has been identified as responsible for the vulnerability, which was brought to light by researcher Dan Neidle.

Companies House confirmed that the flaw allowed logged-in users to access dashboards belonging to other companies. This exposure included sensitive management data such as home addresses, email addresses, and dates of birth. The incident is considered medium severity because while personal data was accessible, user passwords were not compromised and no unauthorized changes were made to company records. The service has since been restored, but the potential for the data to be used in secondary attacks remains a concern.

Who is behind the incident?

The attacker or cause of the incident has not been identified.

Impact and risks for GOV.UK customers

For company directors and management personnel, the exposure of residential addresses and dates of birth presents significant risks. This sensitive information can be leveraged by malicious actors for targeted phishing, identity theft, or social engineering. Even without compromised passwords, the availability of verified personal details allows attackers to build more convincing profiles for fraudulent activities.

Typical outcomes of such leaks include an increase in unsolicited contact and potential attempts at credential stuffing. Affected individuals should monitor their credit files for unauthorized activity and exercise caution with unexpected communications. Proactive transparency and reporting to the Information Commissioner's Office (ICO) help in managing the long-term impact on the registered business community.

How to protect against similar security incidents

In light of the Companies House data exposure involving GOV.UK, management personnel of registered companies should take steps to secure their personal and professional information.

• ‍Monitor for identity theft. Regularly review credit reports for any unfamiliar accounts or inquiries. Consider enrolling in an identity theft protection service to receive alerts about the use of your personal details. Be vigilant for any unexpected physical mail or financial statements sent to your home address.‍
• Practice heightened email security. Treat all unsolicited emails with suspicion, especially those referencing company registry details. Enable phishing-resistant multi-factor authentication (MFA) on all professional and personal accounts. Do not click on links or download attachments from unverified sources.‍
• Implement attack surface management. Organizations should utilize continuous monitoring tools to identify vulnerabilities in public-facing web services. Conduct regular security audits of access controls and dashboard permissions to prevent unauthorized data exposure. Ensure that third-party vulnerabilities are patched promptly as part of a robust patch management strategy.

Maintaining a proactive security posture and monitoring for the misuse of personal data are essential steps in mitigating the impact of this registry leak.

Frequently asked questions

What happened in the GOV.UK security breach?

On March 16, 2026, GOV.UK (gov.uk) disclosed a security breach. According to initial reports, a security flaw in the Companies House WebFiling service exposed sensitive information, including home addresses and dates of birth, of five million registered companies.

When did the GOV.UK breach occur?

The GOV.UK breach was publicly reported on March 16, 2026. The exact date of the attack has not been disclosed, though the vulnerability reportedly existed since October 2025.

What data was exposed?

The types of data involved in the GOV.UK incident include email addresses, home addresses, residential addresses, and dates of birth of company management. This page will be updated as verified information becomes available.

Is my personal information at risk?

If you interacted with GOV.UK or are a director of a U.K. company, there's a possibility your personal information could be affected. Similar incidents often involve email addresses, login details, or financial records. Stay alert for updates and take precautionary measures to secure your accounts.

How can I protect myself after a data breach?

• Monitor your credit reports for suspicious activity.
• Enable multi-factor authentication (MFA) on all accounts.
• Be wary of phishing emails or phone calls using your personal details.
• Use breach monitoring tools to track the exposure of your email address.

What steps should companies take after being breached?

Companies House has restored the WebFiling service, reported the incident to the ICO and NCSC, and is conducting an investigation. They are expected to review security measures and deploy enhanced monitoring to prevent future vulnerabilities.

This cybersecurity news article is powered by UpGuard Breach Risk — continuous attack surface monitoring for your organisation and supply chain.