A fundamental authentication failure in Companies House's WebFiling system exposed the personal data of over 5 million UK company directors to any logged-in user for five months. The breach demonstrates how basic access control weaknesses can create enterprise-wide vulnerabilities, particularly as UK directors face increasing personal liability for cyber failures.
According to reporting from The Register, the vulnerability was discovered when security researchers found that pressing the browser's back button after logging into WebFiling would display other users' data, including directors' home addresses, email addresses, and dates of birth. An authentication flaw is a security weakness that allows unauthorised access to systems or data by bypassing or exploiting login verification mechanisms.
Key Facts:
- Over 5 million UK company directors had personal data exposed for five months
- Simple browser back button exploit bypassed authentication controls
- Attackers could file fraudulent documents against other companies
- The vulnerability required only basic user account access to exploit
How Did Basic Controls Fail This Catastrophically?
The Companies House incident reveals a session management failure where the system failed to properly validate user permissions when accessing cached pages. WebFiling's authentication mechanism appeared to work correctly on initial login but failed to re-verify user identity when navigating through browser history. This allowed authenticated users to access data belonging to other users simply by using standard browser functionality. The flaw also enabled malicious users to submit fraudulent filings against companies they had no authority to represent, potentially facilitating corporate fraud at scale.
What Does This Mean for Private Sector Security?
If the UK government's official corporate registry can suffer such basic authentication failures, private sector organisations must immediately audit their own access controls. The NCSC's guidance on identity and access management emphasises that proper session handling requires continuous validation, not just initial authentication. Companies relying on web applications for sensitive data processing should implement robust session management, including proper cache controls and permission verification on every page request. This incident underscores why the ICO continues to emphasise that technical and organisational measures must work together to prevent unauthorised data access.
Boardroom Questions
- Have we conducted penetration testing specifically focused on session management and browser-based authentication bypasses?
- What would happen if our authenticated users could access other customers' data through simple browser navigation?
- Do our web applications re-verify user permissions for every sensitive data request, not just initial login?
Quick Diagnostic
- Can users access cached pages containing sensitive data after navigating away and returning via browser controls?
- Do your web applications implement proper session timeout and permission validation on every page?
- Have you tested what happens when authenticated users manipulate URLs or use browser navigation to access different data sets?
Related Reading
SQL Server Zero-Days Hand Attackers Database Kingdom Keys โ Microsoft's SQL Server CVE-2026-21262 vulnerability allows attackers to bypass authentication and gain sysadmin privileg
Microsoft Just Made Passkeys Mandatory. Here Is What That Means. โ Microsoft is auto-enabling passkeys across Entra ID tenants. UK businesses must prepare for mandatory passwordless authe
Why Cloud Attackers Stopped Caring About Your Passwords โ Google's latest threat report reveals attackers are bypassing traditional access controls entirely, exploiting cloud app
Strengthen your organisation's security posture