On Friday 13 March, Companies House was made aware of a security issue which meant that a logged-in user of our WebFiling service could potentially access and change some elements of another company’s details without their consent after performing a specific set of actions.
This was not accessible to the general public. Only users with an authorised code and logged in to the service could have performed this action.
We closed WebFiling at 1:30pm on Friday 13 March while we investigated and resolved the issue. The service has been independently tested and is back online as of 9am on Monday 16 March.
What data may have been affected
Our investigation has established that specific data from individual companies not normally published on the Companies House register may have been visible to other logged-in WebFiling users. This includes dates of birth, residential addresses and company email addresses. It may also have been possible for unauthorised filings — such as accounts or changes of director — to have been made on another company’s record.
We want to be clear about what was not affected:
- Passwords were not compromised.
- No data used as part of our identity verification process, such as passport information, was accessed.
- No existing filed documents, such as accounts or confirmation statements could have been altered.
We believe that this issue could not have been used to extract data in large volumes or to access records systematically. Any access would have been limited to individual company records, viewed one at a time by a registered WebFiling user.
Our investigation indicates that this issue was introduced when we updated our WebFiling systems in October 2025.
What we are doing
We have proactively reported this incident to the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC). We are actively analysing our data to identify any anomalies, and we’ll be emailing every company’s registered email address to explain how to check their details and what steps to take if they have any concerns.
If we find evidence that anyone has used this issue to access or change another company’s details without authorisation, we will take firm action.
What companies should do now
We are asking all companies to check their registered details and filing history to make sure everything appears correct. If a company has a concern, please raise a complaint and include evidence to describe the concern.
We have no reports at this stage of data having been accessed or changed without permission. However, our investigation is ongoing. We’ll provide further updates as our work progresses and we remain committed to being transparent throughout.
We’ll soon be publishing a page with more details to answer any further questions you may have.
An apology
I recognise that this incident will have caused concern and inconvenience to many of the companies and individuals who rely on our services. I am sorry for that.
Companies House takes its responsibility to protect the data entrusted to us extremely seriously. We have taken swift action to secure and restore our service, and are committed to doing everything in our power to support those affected and to making sure that our services continue to merit the trust placed in them.
Andy King
Chief Executive Officer, Companies House
Registrar of Companies for England and Wales