Companies House WebFiling security issue

On Monday 16 March Companies House announced that it had become aware of a security issue with its WebFiling service on Friday 13 March. The issue allowed authenticated users logged-in to the WebFiling service to access and potentially modify the details of other companies.

Company details which may have been visible included company information not usually published on the Companies House register, such as dates of birth; residential addresses; and company email addresses. It may have also been possible for logged-in users to make unauthorised filings (such as changes to directors) on another company’s record.

In a statement, Companies House said that only a person with an authorised code and able to log-in to the WebFiling service could have taken advantage of this security issue. The general public would have been unable to change company details by using the WebFiling service. Companies House have also stated that the security issue did not affect password security; identify verification data such as passport information; or existing filed documents (e.g. accounts or confirmation statements).

Companies House has since announced that the security issue has been resolved and as of Wednesday 18 March it confirmed that there have been no reports of any data being accessed or changed.

However, Companies House advises all companies to:

• Check their registered details to ensure the information showing is correct.
• Check their company filing history for any unusual or unrecognised activity from 1 October 2025, which is when Companies House updated the WebFiling systems.
• Contact Companies House with evidence of any discrepancies or concerns.

To see the official Companies House statement regarding the matter visit Update on Companies House WebFiling security issue – GOV.UK

In line with Companies House guidance, we suggest that you check your Companies House details as soon as possible. If you would like any assistance with reviewing your company information, including where we provide a corporate governance service to you already, please get in touch.

This incident serves as a timely reminder for all businesses that data protection and IT security obligations are not static compliance exercises, but ongoing operational priorities. Organisations must stay abreast of evolving regulatory expectations, emerging threats and best‑practice security standards, particularly as systems become more interconnected and data volumes grow. Compliance with data protection law requires more than policies on paper: it demands regular risk assessments, up‑to‑date technical safeguards, staff training, and clear governance around access, monitoring and incident response.

For corporate governance queries, please contact Erin Willock.

For specialist data protection advice, please contact Kathryn Rogers.