A serious security vulnerability affecting the five million registered companies on Companies House was recently discovered. More on this below, but we would urge all companies to check their records carefully and ensure there is nothing unexpected in their Companies House filings and dashboard.
Discovered on Thursday 12 March, Companies House suspended its WebFiling system from Friday 13 March until the morning of Monday 16 March. Andy King, Chief Executive of Companies House, has since issued a statement (Update on Companies House WebFiling security issue – GOV.UK) explaining the issues discovered and outlining the steps companies should now take.
What happened?
The flaw in the Companies House WebFiling service allowed a logged-in user to access the internal dashboard of any of the other five million companies registered on Companies House by entering another company number and simply pressing the back key a few times. Although not accessible to the general public (as you need a Companies House account), Companies House serves over 5 million registered companies, many of whom use the WebFiling service. The statement from the CEO Andy King, suggests that this issue has been present since Companies House updated their WebFiling systems in October 2025, which is a 5 month window.
The risks
A company's dashboard contains sensitive, private information about its directors including, their residential addresses, email addresses and dates of birth. Unauthorised access also allows a user to make filings or amend company records. Therefore, modifications could have been made to various company details including its registered address, accounts filings or changes of directors. In his statement, Andy King has now confirmed that unauthorised filings could therefore have been made by an unauthorised individual. Looking at the most serious scenario, UK companies were potentially exposed to company hijacking by bad actors and corporate identity fraud.
What companies should do now
As of Monday, 16 March 2026, CEO Andy King reported that Companies House had not yet received any confirmed cases of a company’s data having been accessed or changed without permission. However, investigations are ongoing.
It is very important that companies take the following steps as a matter of urgency:
- Log into Companies House WebFiling and check the registered details to ensure company details and its director information is correct;
- Review filing history to ensure no submissions have been made by an unauthorised user and there are no unexpected filings; and
- Report any concern directly to Companies House and ensure to include evidence of anything that looks suspicious.
The period to review is between 1 October 2025 and Friday, 13 March.
Companies House response
The CEO has issued an apology to all registered companies and confirmed that they took immediate action to fix the issue. They have also reported the incident to the Information Commissioner's Office and the National Cyber Security Centre. To ensure all businesses have taken the above precautionary steps, Companies House will be emailing every company’s registered email address to explain how to check their details and what steps to take if they have concerns.
further information
If you have any questions regarding this blog, please contact our Corporate, Commercial & Finance team.
About the authors
Bethany Hall is a trainee solicitor currently in her fourth seat with the Corporate, Commercial and Finance team.
Roberta Draper advises startup founders, angel investors and established businesses on a variety of corporate and commercial legal matters. She advises on early stage investments, share option schemes, shareholder agreements, share buybacks and company sales and acquisitions.
Join the conversation
