Companies House Security Incident: What Businesses Need to Know

What has happened at Companies House?

On Friday 13 March, a vulnerability was identified in the Companies House WebFiling service. The flaw allowed a logged‑in WebFiling user to access another company’s private dashboard simply by initiating a filing for that company and then pressing the browser’s “back” button before the authentication stage. This created a window in which confidential company information, normally visible only to authorised users, could be viewed by others.

Companies House took the service offline the same day, carried out independent testing over the weekend, and restored WebFiling on Monday, 16 March. They have since confirmed that the vulnerability was introduced in October 2025.

Who was affected and what was exposed?

In theory, any one of the five million companies registered in the UK could have been affected. However, Companies House has said that the vulnerability could not have been used to extract information in bulk; any access would have been limited to viewing one company record at a time.

The information that may have been visible includes directors’ and persons‑with‑significant‑control residential addresses, their dates of birth, and company email addresses. Companies House has also acknowledged that it may have been possible for an unauthorised user to make certain filings, such as submitting accounts or altering director information.

At the same time, Companies House has confirmed that some categories of information were not affected. Passwords, identity‑verification documents and existing filed documents were not exposed by this vulnerability.

What should companies do now?

For organisations whose filings are managed centrally — for example, those using our Annual Compliance Service where statutory filings are monitored on their behalf — there may be nothing further to do at this stage. Regular monitoring and oversight will usually detect any unexpected changes.

Companies that manage their own filings may wish to log in to their Companies House WebFiling account and review their registered details and filing history to ensure that everything is as expected. If anything looks unfamiliar or incorrect, concerns can be raised directly with Companies House, or with a professional adviser if preferred.

Many businesses are also in the middle of the new mandatory identity‑verification process introduced under the Economic Crime and Corporate Transparency Act. A number of queries we have received relate specifically to whether identity documents were compromised. Companies House has confirmed that identity documents were not affected by this incident. And in any case, where identity verification is carried out through an Authorised Corporate Service Provider (ACSP), those documents are not sent to Companies House at any stage.

For entities on the Register of Overseas Entities, there is currently no indication that ROE filings were affected.

Regardless of which regime applies to you, it is sensible to remain alert to unusual communications that appear to relate to company filings or official records. As always, if something does not look right, it is worth checking.

Where to find more information

The story has been widely covered, and the following sources provide helpful further detail:

• Tax Policy Associates – Companies House flaw exposed five million directors and enabled company hijacking
• Financial Times – Companies House suspends online filing after glitch put personal data at risk
• Companies House – Update on Companies House WebFiling security issue

If you have questions or concerns about how this incident might affect your company, our team is here to help.