Companies House has confirmed a security incident within its WebFiling service that may have exposed sensitive company information to authorised users.

The issue was identified on Friday 13 March, when the agency discovered that a logged-in user could potentially access and alter limited elements of another company’s records without consent, after performing a specific sequence of actions. The vulnerability was not accessible to the general public and required a user to be logged in with a valid authentication code.

As a precaution, Companies House suspended the WebFiling service at 1:30pm on the same day. Following an investigation and remediation, the platform was independently tested and restored by 9:00am on Monday 16 March.

Potential Data Exposure

According to the investigation, certain data not typically available on the public register may have been visible to other authenticated users. This includes:

• Dates of birth
• Residential addresses
• Company email addresses

There was also a possibility that unauthorised filings—such as submitting accounts or changing director details—could have been made on another company’s profile.

However, Companies House emphasised that:

• Passwords were not compromised
• Identity verification data (such as passport details) was not accessed
• Existing filed documents could not be altered

The organisation added that the issue was unlikely to have enabled large-scale or automated data extraction, with access limited to individual company records viewed one at a time.

Initial findings suggest the vulnerability originated from a system update implemented in October 2025.

Regulatory Notification and Ongoing Review

The incident has been formally reported to both the Information Commissioner’s Office and the National Cyber Security Centre. Companies House is continuing to analyse system data for any irregularities and plans to contact all registered companies directly with guidance on reviewing their records.

While there are currently no confirmed reports of unauthorised access or changes, the investigation remains ongoing. Officials have stated that any misuse identified will be met with firm action.

Guidance for Companies

Businesses are being urged to review their registered details and filing history to ensure accuracy. Any concerns should be reported directly to Companies House via email, with supporting evidence provided.

Further updates are expected as the investigation progresses, alongside the publication of additional guidance for affected users.

Official Response

In a statement, Chief Executive Officer Andy King apologised for the incident, acknowledging the concern it may have caused.

He reaffirmed the organisation’s commitment to data protection, stating that swift action had been taken to secure the system and restore services, and that Companies House would continue working to maintain public trust.