Key Points
- Companies House suspended its WebFiling service after a security vulnerability exposed sensitive company data.
- The flaw reportedly allowed users to access and potentially edit information belonging to other companies by using the browser back button.
- Exposed information may have included directors’ home addresses, dates of birth and email addresses.
- Tax expert Dan Neidle warned the vulnerability could create fraud risks for businesses and directors.
- Companies House stated it closed the service while investigations are ongoing.
- Businesses missing filing deadlines because of the outage have been advised to retain evidence of failed submissions.
- The incident raises wider concerns about cybersecurity, identity fraud and corporate compliance risks linked to Companies House filings.
What Happened at Companies House?
Companies House suspended its online WebFiling service after a security flaw reportedly enabled users to access sensitive information belonging to other companies through the government portal.
According to the Press Association, the vulnerability allowed users to view another company’s details by pressing the back button while logged into the Companies House dashboard. The issue reportedly exposed information including directors’ residential addresses, email addresses and dates of birth.
As reported by the Press Association, Dan Neidle, founder of Tax Policy Associates, alerted Companies House to the issue on Friday after identifying the flaw.
A spokesperson for Companies House said: “We are aware of an issue with our WebFiling service and have closed it while we investigate. We apologise for any inconvenience to our customers.”
The temporary suspension affects businesses and agents relying on the online filing system for statutory submissions and company administration tasks.
Why Is the Security Vulnerability Significant?
The incident has raised concerns about the integrity of company records and the protection of personal information held by the UK’s corporate registry.
As reported by the Press Association, Mr Neidle described the flaw as “very serious” if it had existed for an extended period. He stated: “People could get enough data about a company and its directors to potentially commit fraud – to pretend to be it.”
He further warned that malicious actors could potentially alter company addresses or intercept official correspondence if unauthorised access extended to filing capabilities.
According to the Press Association, Mr Neidle added: “Security researchers say 15 days is the average time it takes for a vulnerability to be exploited, and this was a particularly easy vulnerability with no hacking required.”
The concerns are particularly relevant because Companies House holds official records for millions of UK businesses, including directors’ information, filing histories and statutory documents.
The incident also arrives during a period of broader reform at Companies House following the introduction of enhanced corporate transparency and identity verification measures under the Economic Crime and Corporate Transparency Act.
What Information May Have Been Exposed?
The vulnerability reportedly exposed several categories of personal and corporate information.
According to the Press Association, the accessible information may have included:
Directors’ Residential Addresses
Although Companies House restricts the public display of certain residential details, directors’ addresses are still held within filing systems for official purposes. Exposure of these records could increase risks of impersonation or identity fraud.
Dates of Birth
Partial dates of birth are routinely published on the register, while full dates are retained internally. Access to more detailed personal data could heighten fraud risks for company officers.
Email Addresses
Business and filing-related email addresses may provide opportunities for phishing attempts or unauthorised account access.
Company Filing Information
The reported ability to alter or interact with company data raises concerns over the integrity of filings submitted through the WebFiling service.
For companies already managing compliance obligations, the incident may prompt reviews of account security, filing permissions and internal controls over corporate records.
How Could UK Companies Be Affected?
The outage has operational and compliance implications for UK companies, directors and filing agents.
Businesses that rely on the WebFiling portal for annual accounts, confirmation statements or director updates may face delays while the service remains unavailable.
Filing Deadlines and Compliance Risks
Companies House stated in guidance to affected users: “If you miss your filing deadline due to the service being unavailable, there’s no need to call us.”
The guidance further stated: “File as soon as you can once the service is available, and take a screenshot of any error messages and note the time and date. We’ll take this evidence into account if you cannot file.”
This advice is significant for companies approaching statutory filing deadlines, particularly those required to submit:
- Annual accounts
- Confirmation statements
- Director appointment or resignation notices
- Persons with Significant Control (PSC) updates
Late filing penalties may still technically arise unless Companies House accepts evidence demonstrating the delay resulted from the system outage.
Businesses using third-party compliance providers or company secretarial services may also need to monitor filing status carefully during the disruption.
What Should Directors and Companies Do Now?
Companies affected by the outage may need to take several precautionary steps while investigations continue.
Review Companies House Records
Directors and authorised officers should review their Companies House entries once the system becomes available to identify any unexpected changes or suspicious activity.
This includes checking:
- Registered office addresses
- Director details
- Filing histories
- PSC information
- Authentication credentials
Retain Evidence of Filing Failures
Companies House has specifically advised businesses to keep screenshots of system errors and record relevant timestamps if filing attempts fail during the outage period.
This evidence may assist if disputes arise regarding filing deadlines or penalties.
Monitor for Fraud Risks
Businesses should remain alert for:
- Unusual correspondence
- Unexpected changes to company records
- Suspicious emails
- Identity verification requests
- Unauthorised filings
Where concerns arise, directors may need to contact Companies House or relevant fraud reporting authorities promptly.
Assess Internal Compliance Procedures
The incident may encourage companies to strengthen governance around corporate filings, including restricting access to filing credentials and reviewing who is authorised to submit documents.
For businesses managing multiple statutory obligations, professional support with confirmation statement filing, director changes or broader compliance services may help reduce operational risks during service disruptions.
How Does This Relate to Wider Companies House Reforms?
The incident comes amid significant reforms intended to strengthen the reliability and security of the UK corporate register.
Under reforms linked to the Economic Crime and Corporate Transparency Act, Companies House has been granted expanded powers to:
- Improve identity verification
- Query suspicious filings
- Remove inaccurate information
- Share data with law enforcement agencies
- Enhance corporate transparency
The government has repeatedly stated that Companies House should become a more active gatekeeper against fraud and economic crime rather than operating solely as a passive registrar.
This latest incident may increase scrutiny of the organisation’s cybersecurity infrastructure and operational resilience, particularly given the sensitive nature of the information it holds.
It may also intensify pressure on Companies House to demonstrate that ongoing digital reforms are supported by robust data protection and access controls.
Could the Incident Affect HMRC Compliance?
Although the issue directly concerns Companies House systems rather than HM Revenue and Customs, the disruption may indirectly affect businesses managing tax and corporate compliance obligations.
Many companies rely on synchronised filing schedules covering both Companies House and HMRC obligations, particularly around annual accounts and corporation tax reporting.
Delays in company filings can potentially create knock-on administrative complications where businesses require updated company records for:
- VAT registration processes
- Banking verification
- Funding applications
- Tax agent authorisations
- Regulatory reporting
Businesses undertaking new company formation activities may also experience delays if associated filing systems remain restricted or subject to additional security reviews.
Some organisations may choose to seek external support with company formation, filing obligations or statutory record management while the investigation continues.
What Happens Next?
Companies House has not yet confirmed how long the WebFiling service will remain unavailable or whether any unauthorised access occurred before the issue was identified.
The organisation stated only that it closed the service while investigations are underway.
Further updates are expected regarding:
- The duration of the vulnerability
- Whether data was accessed or altered
- Potential remediation measures
- Restoration timelines for the filing system
- Any additional safeguards for account holders
The incident is likely to draw continued attention from cybersecurity professionals, corporate compliance advisers and regulators given the scale and importance of the Companies House register to the UK business environment.
