Companies House security issue: UK firms urged to check details.

A significant security vulnerability has been identified within the UK’s Companies House online portal, potentially exposing sensitive company and director information to unauthorized access. Logged-in users may have had the ability to view and, more alarmingly, edit the data of other companies without their explicit consent. This breach could have allowed for the disclosure of confidential details such as directors’ private home addresses and email addresses.

Companies House, the official UK government agency responsible for maintaining the register of limited companies, announced it was alerted to the security flaw on Friday and has since taken swift action to rectify the issue, with services reportedly restored by Monday. Crucially, the agency has stated that it has received no current reports of data actually being accessed or misused.

Andy King, the chief executive of Companies House, has issued a public apology for the incident, emphasizing that the matter has been formally reported to the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC) for thorough investigation and guidance. "Companies House takes its responsibility to protect the data entrusted to us extremely seriously," King stated, underscoring the gravity with which the agency views its data protection obligations. He further assured the public that "swift action" had been implemented to reinstate the affected services and reiterated the organization’s commitment to supporting any businesses that may have been impacted, aiming to ensure their services continue to uphold the trust placed in them.

The security lapse is understood to have originated from an update made to Companies House’s WebFiling system in October 2025. WebFiling is the primary online platform through which UK company directors submit legally mandated documents, including their annual accounts and other crucial filings. The vulnerability was reportedly discovered on Thursday by John Hewitt, an individual associated with the corporate services provider Ghost Mail. Mr. Hewitt subsequently alerted both Companies House and the independent think tank, Tax Policy Associates, to his findings.

According to Mr. Hewitt’s account, the flaw was inadvertently revealed when he attempted to navigate to another company’s dashboard, a company he did not own, from his own company’s portal. By repeatedly using the back key on his browser, he unexpectedly found himself able to access the dashboard of the other company. This sequence of actions highlighted a critical flaw in the system’s access controls.

In response to the discovery, Companies House promptly closed its WebFiling system on Friday to facilitate an immediate and comprehensive investigation into the security breach. The subsequent internal review confirmed that specific personal data associated with individual companies, such as dates of birth and residential addresses of directors, may have been visible to other users who were logged into the WebFiling system concurrently.

Furthermore, the agency disclosed that the security vulnerability might have also permitted unauthorized filings to be made on another company’s record. This could have included alterations to company accounts or changes to director appointments, thereby posing a significant risk to corporate integrity.

Despite the severity of the potential data exposure, Companies House has provided reassurance that user passwords were not compromised during the incident. Additionally, data utilized for identity verification processes, such as scanned passports, was confirmed not to have been accessed. It was also clarified that existing filed documents, including historical accounts and confirmation statements, could not have been altered through this vulnerability.

An in-depth investigation is currently underway to ascertain the full extent of any data that may have been accessed or modified without authorization. The findings of this investigation will be crucial in determining the precise impact of the breach and informing any necessary remedial actions.

An ICO spokesperson has confirmed receipt of the report from Companies House and has advised business owners to consult the ICO’s SME hub for guidance and support. Companies registered with Companies House can expect to receive an email communication to their registered address. This email will provide detailed instructions on how to verify their company’s information and outline the steps to take should they have any concerns regarding their data.

Any business experiencing concerns or wishing to report an issue related to this security incident is strongly encouraged to formally lodge a complaint with Companies House. It is advised that all complaints include specific evidence to support the described concerns, thereby aiding in the investigation process.

This incident highlights the paramount importance of robust cybersecurity measures for all government and corporate digital platforms. The continuous monitoring and updating of systems are essential to prevent such breaches, which can have far-reaching consequences for both individuals and businesses. The transparency shown by Companies House in reporting the issue and their commitment to addressing it are positive steps, but the ongoing investigation will be critical in fully understanding and mitigating the impact of this significant security lapse. The proactive engagement from the public and cybersecurity experts in identifying and reporting such vulnerabilities is a vital component of maintaining digital trust and security across the United Kingdom’s corporate landscape. The lessons learned from this incident will undoubtedly inform future security protocols and system development within public sector organizations. The reliance on digital systems for critical government functions necessitates a perpetual vigilance against evolving cyber threats, and this event serves as a stark reminder of that ongoing challenge. The collaboration between government agencies, private sector entities, and cybersecurity professionals will be key to building a more resilient digital infrastructure for the future. The long-term implications for trust in digital government services will depend on the thoroughness of the investigation and the effectiveness of the preventative measures implemented going forward. The accessibility of company information is vital for transparency, but it must be balanced with the stringent protection of personal and sensitive data.