Info Gov

Companies House has confirmed a security breach in its WebFiling service that briefly allowed authenticated users to access or amend certain details relating to companies they were not authorised to manage.


The incident, publicly acknowledged on 16 March 2026, involved a flaw that could be triggered only after a user followed a particular sequence of actions while logged into WebFiling with an authorised code.

Although not accessible to the general public, the vulnerability created a window in which private information, including directors’ dates of birth, residential addresses and company email addresses, may have been exposed to other registered users. There was also potential for unauthorised filings, such as director changes or accounts submissions, to be made.

Companies House took WebFiling offline at 1:30pm on Friday 13 March, restoring it only after independent testing on Monday 16 March at 9am. Companies House said that early findings indicate that the flaw was introduced during a system update in October 2025.

Companies House Chief Executive Officer, Andy King, stressed that several critical categories of data were untouched:

• Passwords were not compromised.
• Identity‑verification data - such as passport information - remained secure.
• Existing filed documents could not be altered through the vulnerability.
• The issue could not have been used to extract data at scale, with any access limited to individual records

Companies House has reported the incident to the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC) and is examining its systems for anomalies. Each registered company will receive guidance on how to check its filings and raise concerns.

Public sector bodies routinely rely on Companies House data to support procurement due‑diligence, monitor companies involved in regulated sectors, support trading standards enforcement, and detect fraud.

Companies House is urging all companies to review their registered details and filing history for irregularities and to submit complaints supported by evidence where needed.

At this stage, the agency reports “no confirmed cases” of records being accessed or altered without authorisation, but investigations remain ongoing.

Andy King issued an apology acknowledging the concern and inconvenience caused. He emphasised the organisation’s commitment to safeguarding corporate data and pledged full transparency as the investigation progresses:

He said: “Companies House takes its responsibility to protect the data entrusted to us extremely seriously… We have taken swift action to secure and restore our service… and are committed to doing everything in our power to support those affected.”

Also in this section

Jul 16, 2026

Scattered Spider pair jailed over TfL hack

Two members of the Scattered Spider hacking collective have each been jailed for five and a half years at Woolwich Crown Court on 16 July over a 2024 cyber attack on Transport for London that compromised the personal data of millions of customers and cost the transport authority £39 million.
Jul 15, 2026

Government introduces mandatory data breach reporting protocol

The Cabinet Office has published a Model Action Plan setting out a single cross-government framework that all departments and arms-length bodies must follow when responding to significant personal data breaches, introducing mandatory central reporting of such incidents for the first time.
Jun 29, 2026

"Five eyes" warn on accelerating cyber security threat from AI

The National Cyber Security has called on organisational leaders to treat cyber resilience as a core business and governance responsibility rather than a technical matter in the light of a report by the Five Eyes intelligence alliance on the "fundamental" impact of AI on the speed and scale of cyber threats.
Jun 15, 2026

Government AI hackathons uncover 407 vulnerabilities across nine departments, including critical remote code execution flaw

A pilot programme using frontier AI models to scan public-sector code repositories has identified 407 security findings across nine government organisations, including a critical vulnerability that could have allowed an external attacker to execute arbitrary code on a key digital service, the Department for Science, Innovation and Technology (DSIT) and the National Cyber Security Centre (NCSC)…

InfoGov Masthead Newsletter 800