Originally reported by Infosecurity Magazine
TL;DR
A web vulnerability in the UK's Companies House platform exposed corporate and personal information of millions of individuals and businesses. The breach creates significant fraud risk as the exposed data could be weaponized by threat actors for business email compromise and corporate identity theft.
While the exposure affects millions of records containing corporate and personal information that could enable fraud, there's no indication of active exploitation or confirmed misuse of the exposed data.
A technical vulnerability in the UK's Companies House website has exposed the personal and corporate information of millions of individuals and businesses to unauthorized access. The government registry platform, which maintains official records for all UK companies, experienced a web application flaw that could potentially enable fraudulent access to sensitive corporate data.
The exposure affects the UK's primary corporate registry, which contains:
Given that Companies House maintains records for over 4.8 million active UK companies, the potential scope of exposed information is substantial.
The exposed corporate data presents multiple attack vectors for threat actors:
While specific technical details of the vulnerability remain undisclosed, web application flaws in government platforms typically involve:
The incident highlights the critical security posture required for platforms handling corporate registry data, particularly given the cascading fraud risks associated with business identity information.
Companies House has not yet provided public details on remediation timelines or specific mitigation measures implemented. Organizations should monitor their corporate filings for unauthorized changes and implement additional verification procedures for business communications.
Originally reported by Infosecurity Magazine