UK Corporate Registry Breach Exposed Director Data Through Simple Back Button

A catastrophic security flaw in Companies House's WebFiling system exposed confidential data for all 5 million UK companies for five months, allowing unauthorised access through something as simple as pressing the browser back button. The vulnerability, which persisted from August 2025 until January 2026, represents one of the most serious government digital infrastructure failures in recent years. Companies House WebFiling is the official portal where UK companies submit mandatory filings, including sensitive director information and financial data.

According to government reporting, the breach occurred when Companies House integrated with GOV.UK One Login, creating a session management flaw that bypassed authentication controls entirely. Any user could navigate to another company's confidential filing data by manipulating browser navigation, effectively turning a basic web browser function into a master key for the UK's corporate registry.

Key Facts:
- All 5 million UK companies were potentially exposed for five months
- Unauthorised users could both view and modify other companies' confidential data
- The vulnerability required no technical expertise, just browser back button navigation
- Companies House only discovered the issue through routine security testing in January 2026

How Did Basic Web Security Fail So Spectacularly?

The vulnerability stemmed from improper session handling during the integration with GOV.UK One Login, the government's centralised authentication system. When users logged out or switched between company accounts, the system failed to properly invalidate previous sessions or verify authorisation for subsequent data access. This meant that pressing the back button could return users to pages containing other companies' data, with full read and write permissions intact. The NCSC's Web Application Security Testing guidance explicitly warns against such session management failures, making this breach particularly concerning given the government's own security standards.

The implications extend far beyond simple data exposure. Directors' personal information, including home addresses and dates of birth, became accessible to anyone who stumbled upon the flaw. More critically, unauthorised users could potentially modify filing data, creating risks around corporate fraud and regulatory compliance. This vulnerability directly undermines the integrity of the UK's corporate registry system, which UK directors already face increasing personal liability for security failures.

Boardroom Questions

• How do we verify that our own web applications properly invalidate user sessions and prevent unauthorised data access through browser navigation?
• What contingency plans exist if government systems we depend on suffer similar authentication failures that could expose our corporate data?
• Are we conducting regular penetration testing that includes basic session management flaws, not just sophisticated attack vectors?

Quick Diagnostic

• Do your web applications properly invalidate user sessions when users log out or switch accounts?
• Have you tested whether pressing browser back buttons can expose data from previous user sessions?
• Do you have monitoring in place to detect unauthorised access to sensitive corporate data through session manipulation?