Key Points
- Companies House temporarily shut down its WebFiling service on 13 March after identifying a security vulnerability affecting logged-in users.
- The issue may have allowed authorised WebFiling users to access or alter limited details belonging to another company without consent.
- Potentially exposed data included dates of birth, residential addresses and company email addresses not normally visible on the public register.
- Companies House stated that passwords and identity verification documents, including passport information, were not compromised.
- The regulator confirmed that filed documents such as accounts and confirmation statements could not be altered retrospectively.
- The incident was reported to the Information Commissioner’s Office and the National Cyber Security Centre.
- Companies House has urged all companies to review their filing history and registered details for unauthorised changes.
- The issue was linked to a WebFiling system update introduced in October 2025.
- No confirmed reports of unauthorised access or changes had been identified at the time of the latest update.
What Happened With the Companies House WebFiling Security Issue?
Companies House confirmed that it became aware of a security issue affecting its WebFiling platform on Friday 13 March. According to Companies House, the vulnerability meant that a logged-in WebFiling user with a valid authentication code could potentially access and amend limited information belonging to another company after carrying out a “specific set of actions”.
The agency temporarily suspended the WebFiling service at 1:30pm on 13 March while investigations and remediation work were undertaken. The service later resumed operations at 9am on Monday 16 March after undergoing independent testing.
According to Companies House, the issue was not accessible to members of the general public and required an authenticated user already signed into the WebFiling system.
The registrar stated that the vulnerability was introduced during a system update implemented in October 2025.
What Company Data May Have Been Exposed?
Which Sensitive Details Were Potentially Accessible?
According to Companies House, certain data that is not ordinarily displayed on the public register may have been visible to other authenticated WebFiling users.
This potentially included:
- Directors’ dates of birth
- Residential addresses
- Company email addresses
The regulator also acknowledged that unauthorised filings, including director changes or account submissions, may theoretically have been made against another company’s record.
However, Companies House stressed that the issue did not permit bulk extraction of information or systematic access to records. The organisation stated that any potential exposure would have been limited to viewing one company record at a time.
What Information Was Not Affected?
Companies House stated that several critical systems and records were unaffected by the incident.
The registrar confirmed:
- Passwords were not compromised
- Identity verification data, including passport details, was not accessed
- Previously submitted filings, including accounts and confirmation statements, could not be altered retrospectively
The distinction is likely to provide some reassurance to directors and company officers concerned about wider compromise of corporate records or identity verification systems linked to recent reforms under the Economic Crime and Corporate Transparency framework.
Why Does the Incident Matter for UK Companies and Directors?
What Are the Compliance Risks for Businesses?
The incident highlights the operational and compliance importance of maintaining accurate records with Companies House and regularly monitoring filing histories.
Even though Companies House stated that no confirmed unauthorised access or amendments had been identified at the time of publication, the possibility that director details or filings could have been altered has created concern among company directors, accountants and corporate service providers.
Businesses may now face additional administrative checks to ensure:
- Director appointments remain accurate
- Registered office details have not changed unexpectedly
- Filing histories do not contain unauthorised submissions
- Company email addresses remain secure and up to date
For companies relying heavily on digital filings, the incident also reinforces the importance of internal governance controls surrounding authentication codes and filing access permissions.
Could Directors Face Further Scrutiny?
The issue arrives during a period of increasing regulatory scrutiny around corporate transparency and identity verification.
Recent reforms have expanded the role of Companies House in detecting fraudulent activity and improving the reliability of information held on the register. As a result, businesses may experience heightened expectations around record monitoring and prompt reporting of irregularities.
Corporate advisers noted that directors should maintain clear internal procedures governing who has access to WebFiling credentials and authentication codes, particularly where external agents or third-party filing providers are involved.
Businesses managing multiple entities may also need to undertake broader compliance reviews of filing permissions and historical submissions.
What Action Should Companies Take Now?
How Should Businesses Check Their Records?
According to Companies House, all companies should review their registered details and filing history to ensure that no unexpected changes have occurred.
The registrar stated that companies with concerns should contact the agency directly via enquiries@companieshouse.gov.uk using the subject line “WebFiling issue” and provide supporting evidence.
Recommended checks include:
- Reviewing recent filing activity
- Verifying director and PSC details
- Confirming registered office information
- Checking company email addresses
- Monitoring any unexpected authentication notifications
Businesses that identify discrepancies may need to act quickly to mitigate potential compliance consequences or filing inaccuracies.
Companies using external compliance support providers for confirmation statement filing, director changes or company secretarial work may also wish to confirm that all recent submissions remain accurate.
Should Companies Review Filing Controls?
The incident is likely to prompt many organisations to reassess governance arrangements linked to corporate filings.
Practical measures may include:
- Restricting access to authentication codes
- Updating internal filing authorisation procedures
- Reviewing third-party filing permissions
- Conducting periodic audits of Companies House records
- Implementing stronger cyber security monitoring around corporate email accounts
Businesses undertaking new company formation activity or restructuring exercises may also consider whether additional verification procedures are required before filings are submitted.
How Have Regulators Responded to the Incident?
What Role Are the ICO and NCSC Playing?
Companies House confirmed that it proactively reported the incident to the Information Commissioner’s Office and the National Cyber Security Centre.
The ICO oversees compliance with UK data protection legislation, including obligations relating to personal data breaches under the UK General Data Protection Regulation and the Data Protection Act 2018.
The involvement of the NCSC reflects the wider cyber security implications associated with digital public filing systems and sensitive company data.
Companies House stated that it is actively analysing system data for anomalies and plans to contact companies directly through registered email addresses with guidance on checking records and identifying concerns.
Will Further Updates Be Issued?
Companies House said its investigation remains ongoing and confirmed that additional information would be published through a dedicated information page.
The regulator updated its guidance again on Wednesday 18 March and later issued further information on Friday 20 March regarding the incident and ongoing investigations.
According to Companies House, no reports had been received at that stage indicating that data had actually been accessed or changed without permission.
The organisation also stated that it would “take firm action” if evidence emerged showing that users exploited the vulnerability to access or alter another company’s information unlawfully.
How Does This Affect Wider Companies House Reform?
What Does the Incident Mean for Digital Filing Systems?
The security issue comes at a time when Companies House is expanding its enforcement and verification functions under ongoing corporate transparency reforms.
The registrar has increasingly promoted digital filing systems as part of broader modernisation initiatives aimed at improving efficiency, reducing fraud and strengthening the integrity of the UK corporate register.
However, the incident may intensify scrutiny around:
- Cyber resilience of filing systems
- Access controls for authorised users
- Authentication code security
- Oversight of digital corporate records
- Data protection compliance
Businesses may also pay closer attention to how Companies House manages system updates and testing processes following the regulator’s confirmation that the vulnerability originated from an October 2025 platform update.
Could Compliance Processes Change Further?
Although no new compliance rules have been announced as a direct consequence of the incident, organisations involved in company filings may anticipate closer procedural safeguards around online submissions and authentication processes.
Professional advisers expect many businesses to increase monitoring of Companies House records as part of routine governance procedures, particularly where multiple directors, overseas officers or external filing agents are involved.
Companies managing PAYE registration, VAT registration or recurring filing obligations may also reassess how corporate credentials are stored and controlled internally to reduce operational risk.
What Did Companies House Say About the Incident?
In its published statement, Companies House apologised for the disruption and concern caused by the incident.
According to Companies House, “We have taken swift action to secure and restore our service, and are committed to doing everything in our power to support those affected and to making sure that our services continue to merit the trust placed in them.”
The organisation added that protecting entrusted company data remains a core responsibility and stated that transparency would continue throughout the ongoing investigation.
