Companies House has confirmed a security breach in its WebFiling service that briefly allowed authenticated users to access or amend certain details relating to companies they were not authorised to manage.
The incident, publicly acknowledged on 16 March 2026, involved a flaw that could be triggered only after a user followed a particular sequence of actions while logged into WebFiling with an authorised code.
Although not accessible to the general public, the vulnerability created a window in which private information, including directors’ dates of birth, residential addresses and company email addresses, may have been exposed to other registered users. There was also potential for unauthorised filings, such as director changes or accounts submissions, to be made.
Companies House took WebFiling offline at 1:30pm on Friday 13 March, restoring it only after independent testing on Monday 16 March at 9am. Companies House said that early findings indicate that the flaw was introduced during a system update in October 2025.
Companies House Chief Executive Officer, Andy King, stressed that several critical categories of data were untouched:
• Passwords were not compromised.
• Identity‑verification data - such as passport information - remained secure.
• Existing filed documents could not be altered through the vulnerability.
• The issue could not have been used to extract data at scale, with any access limited to individual records
Companies House has reported the incident to the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC) and is examining its systems for anomalies. Each registered company will receive guidance on how to check its filings and raise concerns.
Public sector bodies routinely rely on Companies House data to support procurement due‑diligence, monitor companies involved in regulated sectors, support trading standards enforcement, and detect fraud.
Companies House is urging all companies to review their registered details and filing history for irregularities and to submit complaints supported by evidence where needed.
At this stage, the agency reports “no confirmed cases” of records being accessed or altered without authorisation, but investigations remain ongoing.
Andy King issued an apology acknowledging the concern and inconvenience caused. He emphasised the organisation’s commitment to safeguarding corporate data and pledged full transparency as the investigation progresses:
He said: “Companies House takes its responsibility to protect the data entrusted to us extremely seriously… We have taken swift action to secure and restore our service… and are committed to doing everything in our power to support those affected.”
