UK’s Companies House says WebFiling flaw exposed private business data after October 2025 update

Home » News
Yash Shield
News
Reading time icon 5 min. read

Calendar icon Published on

Companies House has confirmed that a security flaw in its WebFiling service exposed private company data and may also have allowed some unauthorized filings on other companies’ records. The agency said the issue affected logged-in WebFiling users only, was introduced during a system update in October 2025, and was fixed after the service was taken offline on March 13 and restored on March 16.

The disclosure matters because Companies House holds records for more than five million limited companies in the UK. In its official statement, the agency said the flaw could have exposed data that does not normally appear on the public register, including dates of birth, residential addresses, and company email addresses. It also said it was technically possible for unauthorized filings, such as accounts or director changes, to be made on another company’s record.

Companies House stressed that the issue was not a public-facing breach and not a cyberattack. According to its follow-up email to registered companies, the flaw required a logged-in user to perform a specific set of actions inside WebFiling. The agency also said passwords were not compromised, identity verification documents such as passports were not accessed, and previously filed documents could not be altered.

The agency has reported the incident to the Information Commissioner’s Office and the National Cyber Security Centre. As of its latest public update, Companies House said it had no reports that data had actually been accessed or changed without permission, but the investigation remains ongoing. It has also begun contacting companies through their registered email addresses with advice on what happened and what to check next.

What Companies House confirmed

The core issue centers on trust in the WebFiling system. Companies House said a logged-in user could potentially access and change some elements of another company’s details without consent after following a specific sequence of actions. That means the flaw did not expose the entire register to the public, but it still created a path for sensitive data exposure inside an authenticated workflow.

The agency also confirmed a key timeline detail. It said the flaw was introduced during a system update in October 2025, which means the weakness may have existed for months before it was reported on March 13, 2026. WebFiling was closed at 1:30 p.m. on March 13, independently tested, and brought back online at 9:00 a.m. on March 16.

Companies House WebFiling incident summary

DetailConfirmed information
Affected serviceCompanies House WebFiling
Publicly confirmedMarch 16, 2026
Issue introducedOctober 2025 system update
Access requiredLogged-in WebFiling user performing specific actions
Data that may have been visibleDates of birth, residential addresses, company email addresses
Possible record impactUnauthorized filings such as accounts or director changes
What was not affectedPasswords, identity verification documents, existing filed documents
Regulators informedICO and NCSC

What was exposed and what was not

Companies House drew a clear line between what may have been exposed and what remained protected. The agency said some non-public company data may have been visible to other logged-in users. That included dates of birth, residential addresses, and company email addresses, all of which could create privacy and fraud risks if accessed by the wrong person.

At the same time, Companies House said no user passwords were compromised. It also said information used during identity verification, including passport data, was not accessed. The agency added that existing filed documents, such as accounts or confirmation statements already on record, could not be altered through this flaw.

If you haven't seen the exploit yet, this video is pretty shocking. I "hack" into the dashboard of a digital consultancy, ClarityDW Ltd, by ⚠️ ⚠️ pressing the back key four times ⚠️ ⚠️ (thanks to Jonathan Phillips of ClarityDW for volunteering)

Dan Neidle (@danneidle.bsky.social) 2026-03-16T11:22:19.279Z

What companies should do now

  • Check recent filings and company details in WebFiling for anything unexpected.
  • Review director information, registered email details, and other sensitive record entries.
  • Watch for Companies House emails sent between March 17 and March 19 with guidance on next steps.
  • Report suspicious changes or concerns through Companies House support channels.

Why this incident matters

This incident lands at an awkward moment for Companies House, which has been tightening rules around corporate transparency and identity verification. In November 2025, the agency began phasing in identity verification for directors and people with significant control as part of wider reforms aimed at improving trust in the UK company register. A flaw that exposed non-public data and may have allowed unauthorized filings cuts directly against that goal.

It also shows how a narrow bug inside an authenticated workflow can still have broad consequences. The issue did not require a public breach of the register, but it may have let one user move across company records they should never have reached. For businesses, that raises practical concerns around privacy, impersonation, and false filings, even if Companies House ultimately finds no confirmed abuse.

FAQ

What happened at Companies House?

Companies House said a flaw in WebFiling allowed a logged-in user, after a specific set of actions, to potentially access and change some elements of another company’s details without consent.

Was this a cyberattack?

Companies House said no. In its email to registered companies, it stated that the issue came from a system update in October 2025 and “was not the result of a malicious attempt to attack our systems.”

What data may have been exposed?

The agency said dates of birth, residential addresses, and company email addresses may have been visible to other logged-in WebFiling users.

Could someone change company records?

Possibly. Companies House said unauthorized filings, such as accounts or director changes, may have been possible on another company’s record.

Were passwords or passport details exposed?

No, according to Companies House. It said passwords were not compromised and identity verification data such as passport information was not accessed.

Yash

Yash Shield

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages