We are sharing this update from ACCA, our professional body, for the interest of clients and contacts. The content is (c) ACCA
Companies House breach raises red flags for UK businesses
A recently disclosed security breach at Companies House has sent a tremor through the UK business community, revealing that its WebFiling system was vulnerable for far longer than first thought and that sensitive company data may have been exposed in the process.
On 13 March, Companies House identified a flaw in its WebFiling service that allowed a logged-in user, under specific conditions, to access and potentially amend another company’s records. The service was swiftly shut down and remained offline for investigation until 16 March.
The issue, however, was not new. It has since emerged that the vulnerability dates back to October 2025, when Companies House updated its systems to integrate with the GOV.UK One login, replacing the older Government Gateway. In effect, the system may have been compromised for up to five months.
While the breach was not open to the public – with access required via a valid login and authentication code – the flaw created a troubling loophole; users could navigate from their own company dashboard into another company’s record.
Data potentially exposed included directors’ dates of birth, residential addresses and company email addresses. There are concerns that it may also have been possible to submit unauthorised filings, such as changes to directors and submission of accounts.
In an update to the issue, Companies House has released a statement as an apology and stressed that:
- passwords were not compromised
- identity verification data (such as passport details) was not accessed
- previously filed documents could not be altered.
Companies House also believes the breach could not be exploited at scale, as access was limited to one company at a time.
While Companies House has sought to reassure users that there is no evidence so far of widespread misuse, the duration of the vulnerability raises uncomfortable questions. The incident has been reported to both the Information Commissioner’s Office and the National Cyber Security Centre, signalling its seriousness despite official reassurances.
Although Companies House took the WebFiling service offline and patched the issue, practitioners may wish to advise clients to:
- immediately review their Companies House records and check all company details, director information, and recent filings for accuracy
- scrutinise filing history and look for any unfamiliar submissions or changes, particularly since October 2025
- strengthen internal controls and ensure that only authorised individuals have access to authentication codes and filing credentials
- stay alert to phishing risks and warn staff and clients that exposed personal data could be used in targeted scams
- act quickly on discrepancies – any malicious changes should be reported to Companies House without delay, with supporting evidence
- monitor communications – watch for official emails from Companies House outlining further steps or findings.