Companies House security vulnerability exposed

A security vulnerability has been identified on Companies House’s website, which potentially provided unauthorised access to personal data of those involved in any of the UK’s five million registered companies.

What is the scope of the Companies House issue?

If exploited, the vulnerability enabled anyone logging into a Companies House WebFiling account to access the Dashboard of any other company registered at Companies House. By doing so, a user could:

• Expose personal data for individuals attached to any company, such as email addresses, directors’ full dates of birth and residential addresses; and
• Apparently – although this is subject to confirmation – make filing submissions on that company. This could seemingly include any electronic filing, such as changes to directors’ personal details, the fraudulent appointment of new officers or updates to the company’s registered office address. It may have been possible to file accounts.

Both of these are potentially of great concern, and it appears from a statement issued by Companies House that the vulnerability has existed since October 2025.

The personal data potentially available could make subjects targets for identity fraud, phishing and social engineering attacks. If filing submissions was possible because of the vulnerability, criminals could have made updates to enable them to fraudulently open bank accounts and obtain lending in the name of those companies.

How was it possible for the security vulnerability to be exploited?

The route to accessing the flaw was not particularly sophisticated:

• A user could log in legitimately via WebFiling to their own company’s dashboard
• From there, they could select to ‘File for another company’
• They would then select the name of any of the other five million companies registered at Companies House
• Upon being prompted for the target company’s authentication code, the user could press ‘back’ a number of times
• This then returned the user to the Dashboard of the target company, to which they should not have access without the authentication code, rather than their original company

It was from this point that the user could view personal information about individuals involved in the company or, apparently, make filings for the company.

What we don’t currently know

Until Companies House investigates and publishes more information, there’s much that we don’t know:

• How the security vulnerability arose
• Whether Companies House can identify which (if any) companies – and therefore, whose personal data – may have been accessed
• Whether fraudulent Companies House submissions have been made and, if so, on which companies

Inform Direct continues to liaise with Companies House for further information.

What is Companies House doing?

Upon being advised of the potential vulnerability, Companies House suspended their standalone online WebFiling and ‘Set up a limited company’ services. As at 10.30am on Monday 16 March 2026, access to WebFiling has been resumed.

Companies House confirmed that anyone who missed their filing deadline due to the WebFiling service being temporarily unavailable over the weekend should:

• Take a screenshot of any error messages and note the time and date; and
• File now that the service is available

Inform Direct remains fully operational to make submissions to Companies House, for existing and new users.

Under the UK’s GDPR legislation, Companies House had 72 hours to notify the Information Commissioner of the potential data breach. The Registrar will need to directly contact data subjects specifically identified as affected. If it is not possible to identify specific victims, it seems likely that they will communicate generally to all registered companies.

Inform Direct is unaffected by the vulnerability

There is no vulnerability in Inform Direct or in our electronic exchange of data with Companies House.

The weakness identified could only be exploited by someone logged in to Companies House’s own systems, although by doing so they could access the details of any company registered at Companies House.

Inform Direct is also unaffected by any unavailability of Companies House’s standalone systems. All Inform Direct features are available, including the submission of forms to Companies House.

What should companies do now?

We should remember that there is currently no evidence that the potential vulnerability at Companies House has been exploited. In time, we hope that Companies House will identify the scope of those companies potentially affected by any breach of personal data and fraudulent filing, and advise upon remediation.

However, many companies will take comfort now in checking their Companies House data and ensuring that no unauthorised changes have been made.

Inform Direct is still able to synchronise information from the Companies House record. So you can check the current details of your companies on Inform Direct if you or your clients are concerned.

If you do identify any suspicious transactions, particularly in the period since October 2025, Companies House has advised to utilise their procedure to raise a complaint.

Accountants may wish to consider preparing their own messaging to clients, or at least be prepared to manage queries received. That may become more important as and when Companies House message all companies about the incident, when companies are likely to look to their trusted accountant for support.