A serious security vulnerability was recently identified in the Companies House WebFiling system, raising concerns about the protection of sensitive company and director information in the UK.
What was the issue?
The vulnerability appears to have been introduced during a system update in October 2025 and remained undetected for several months. Due to this flaw, users who were logged into the WebFiling service could potentially gain access to private company data belonging to other businesses, without proper authorisation. This included sensitive information such as:
- Directors’ dates of birth
- Residential addresses
- Email addresses
In some cases, the issue may also have allowed users to access another company’s filing area, creating the risk of unauthorised changes or submissions. What made the issue particularly concerning was how simple it was to exploit. Reports suggest that basic navigation actions—such as using the browser’s back button at certain points—could unintentionally grant access to another company’s account.
Scale and potential impact
Companies House holds records for millions of UK companies, so even a limited vulnerability has potentially wide-reaching implications. Although passwords and identity verification documents were not exposed, the type of data involved is still highly sensitive. If accessed maliciously, it could be used for:
- Identity theft
- Phishing and social engineering attacks
- Fraudulent changes to company records
There is also concern that attackers could have:
- Changed company details such as registered addresses or directors
- Filed false documents
- Attempted to take control of legitimate businesses
At this stage, there is no confirmed evidence that the vulnerability was widely exploited. However, due to the nature of the flaw, it is difficult to completely rule out misuse.
Discovery and response
The issue was discovered in March 2026 and quickly escalated. In response, Companies House:
- Temporarily shut down the WebFiling service
- Investigated and implemented a fix Restored the service after resolving the vulnerability
- Reported the incident to relevant regulatory and cybersecurity authorities
- Companies House has stated that there is currently no confirmed evidence of data being misused, but investigations are ongoing.
Why this matters
This incident highlights several important issues:
- Data security risks: Even established government systems can be vulnerable to relatively simple technical flaws.
- Trust in the register: Companies House plays a key role in maintaining transparency and trust in UK businesses. Security issues can undermine confidence in the system.
- Fraud exposure: Access to both personal data and company filing functions creates potential opportunities for financial crime.
- Detection challenges: Because the issue required a logged-in session and did not leave obvious traces, identifying affected companies may be difficult.
What businesses should do
While the issue has now been fixed, businesses should take a cautious approach:
- Review their company records on Companies House
- Check for any unexpected changes to filings, directors, or addresses
- Monitor for suspicious emails or communications
- Strengthen internal controls around company filings
Final thoughts
Although Companies House responded quickly once the issue was identified, the incident demonstrates how relatively small technical vulnerabilities can have significant consequences when they affect critical national systems. Further updates are expected as investigations continue, and businesses should remain vigilant in the meantime.