Companies House has confirmed a security flaw in its WebFiling system, enabling logged-in users to alter other companies’ information without consent. Only logged-in users with an authorised code were able to make these changes, meaning the changes could not be made by the general public.
Users were also given access to non-public data, including dates of birth, registered email addresses and residential addresses. The issue was discovered on Friday 13th March 2026, but has since been fixed. Companies House confirmed that the WebFiling service has been back online since 9am 16th March 2026.
“This is yet another reminder that personal data can never be 100 per cent secure in our online world,” said Birketts Director Matthew Stratton on the Birketts website. “Thankfully, Companies House has confirmed that passwords and other information provided as part of the ID verification process (e.g. personal codes and passport details) were not compromised, providing a measure of comfort.”
Following the security issue, companies have been advised to find their information on the Companies House website and check for unexpected filings. This includes changes made to company name, registered office, accounts and confirmation statements, and changes to officers or PSCs.
Companies House stated that is does not believe the issue could be used to extract data in large volumes or to access records systematically. Additionally, Companies House has reported the incident to the Information Commissioner’s Office and the National Cyber Security Centre. All registered companies will also receive an email explaining how to check their details and manage any concerns.
As of 18th March 2026, no incidents of data having been accessed or changed without permission have been reported. However, with investigations still ongoing, companies can email enquiries@companieshouse.gov.uk using ‘WebFiling issue’ in the subject heading to talk about their concerns. Companies House has also confirmed that the issue came from a system update completed in October 2025, not from a malicious or cyber attack.
“I recognise that this incident will have caused concern and inconvenience to many of the companies and individuals who rely on our services. I am sorry for that,” said CEO of Companies House Andy King on the UK Government website. “Companies House takes its responsibility to protect the data entrusted to us extremely seriously. We have taken swift action to secure and restore our service, and are committed to doing everything in our power to support those affected and to making sure that our services continue to merit the trust placed in them.”
For more news like this, click here.