Companies House blunder

A Companies House blunder has raised concerns after a flaw in the WebFiling service briefly exposed sensitive company data. The issue, identified on 13 March 2026, meant that a logged-in user could potentially access and amend limited details of another company by carrying out a specific sequence of actions.

Companies House has stated that this system vulnerability was not available to the general public. Only users with authorised access codes who were already logged into the system could have exploited it. Nevertheless, the nature of the flaw meant that certain private information, such as dates of birth, residential addresses and company email addresses may have been visible. There was also a risk that unauthorised filings, including accounts and changes to director details, could have been submitted on another company’s record.

After identifying this issue, Companies House shut down the WebFiling service at 13:30 on 13 March to investigate. Following independent testing, the system was restored at 09:00 on 16 March. Companies House has said that passwords and identity verification data were not compromised, and that existing filed documents, such as accounts or confirmation statements, could not be altered.

The issue is believed to have arisen from a WebFiling systems update in October 2025. It has been reported to both the Information Commissioner’s Office and the National Cyber Security Centre.

Companies are now being urged to review their registered details and filing history carefully. While no confirmed misuse has been reported so far, Companies House is continuing to investigate. If a company has a concern, it should raise a complaint via the Companies House complaints page at www.gov.uk/government/organisations/companies-house/about/complaints-procedure and include evidence to describe the issue.