Companies House UK Flaw Exposed 5 Million Firms to Data Theft

A security flaw in Companies House's WebFiling service allowed logged-in users to access and potentially modify records belonging to any of the five million companies registered in the UK. The vulnerability, introduced during a system update in October 2025, remained active until discovery on March 13, 2026—a five-month exposure window that has prompted the agency to notify regulators and urge businesses to verify their filings.

Companies House shut down WebFiling immediately after discovering the issue and brought the service back online March 16 following independent security testing.

What the Vulnerability Allowed

By performing a specific sequence of actions, a logged-in WebFiling user could potentially:

• Access another company's dashboard - Viewing data normally restricted to authorized officers
• See unpublished personal information - Including directors' dates of birth, residential addresses, and company email addresses
• Make unauthorized filings - Such as accounts submissions or changes of director on another company's record

The flaw wasn't accessible to the general public. Exploitation required having an authorized WebFiling account and knowing the specific actions to perform. But that still encompasses a substantial user base—anyone registered to file on behalf of a UK company.

Timeline and Response

Companies House was made aware of the security issue on Friday, March 13. They closed WebFiling at 1:30 PM that day and began investigation. The service returned at 9 AM on Monday, March 16 after independent testing confirmed the fix.

The agency has proactively reported the incident to the Information Commissioner's Office (ICO) and the National Cyber Security Centre (NCSC). They've also begun reviewing logs to identify whether any unauthorized access occurred during the five-month window.

"We are still determining the scope and scale of any potential impact and will update businesses accordingly," Companies House CEO Andy King said in a statement, adding an apology to affected businesses.

Why This Matters for UK Businesses

The exposure goes beyond simple data viewing. If attackers exploited this flaw to file fraudulent documents—changing company officers, for instance—victims might not notice until the changes caused downstream problems. Lenders, investors, and partners rely on Companies House records for due diligence. Corrupted records could enable fraud at scale.

Directors whose personal addresses were exposed face potential physical security risks. The residential address of a company officer isn't public information precisely because of these concerns.

Businesses registered with Companies House should:

1. Review recent filings - Check for any submissions you didn't authorize
2. Verify officer information - Ensure no unauthorized changes to director details
3. Monitor credit and identity services - Personal data exposure could enable identity fraud
4. Update authentication - If you share WebFiling credentials, this would be a good time to rotate them

Broader Context

This incident highlights the risks inherent in centralizing corporate data in government-run systems. Companies House has been working to modernize its infrastructure, but as with similar breaches at government agencies, the combination of legacy systems and sensitive data creates ongoing exposure.

The October 2025 update that introduced this vulnerability was presumably intended to improve the service. Instead, it created a five-month window during which any determined user with WebFiling access could have systematically harvested data across the registry. Whether anyone actually did remains under investigation.

For security teams at UK businesses, this is a reminder that third-party data exposure isn't limited to private vendors. Government registries hold sensitive information too, and their security practices may not align with your organization's risk tolerance. Understanding what constitutes a data breach and how to respond when third parties expose your information is essential preparation.

The NCSC has not yet issued public guidance on this specific incident, but organizations with concerns about potential exposure should consider reaching out to their registry directly or monitoring for any follow-up bulletins.