Companies House WebFiling Security Issue

Companies House WebFiling Security Issue: What Directors Need to Know

In March 2026, Companies House confirmed a serious security issue in its WebFiling service. In a public statement published on 16 March 2026, it said that a logged-in WebFiling user could potentially access and change some elements of another company's details without consent after performing a specific set of actions. According to the BBC's reporting, affected information could include directors' home addresses, dates of birth and email addresses.

This matters because Companies House sits at the centre of UK corporate administration. Directors, company secretaries and service providers rely on it to file records that are legally significant. If a flaw allows one authenticated user to cross into another company's private area, that is not a minor inconvenience; it is a failure of access control in a government service that handles sensitive personal and corporate data.

What Companies House Said Happened

The official statement says Companies House became aware of the issue on Friday 13 March 2026. WebFiling was closed while the problem was investigated and fixed, and the service returned on Monday 16 March after independent testing. Companies House also said it had reported the matter to the Information Commissioner's Office and the National Cyber Security Centre.

Its wording is important. The issue was not described as public access by anonymous visitors. Instead, it affected logged-in WebFiling users. That distinction does reduce the barrier to abuse only slightly. Any flaw that lets one authenticated user access another company's non-public data is still a serious security incident.

What Data May Have Been Exposed

Companies House said that specific data not normally published on the public register may have been visible to other logged-in users. Public reporting, including the BBC and AccountingWEB, described the issue as potentially exposing director information such as residential addresses, dates of birth and email addresses.

That combination is sensitive. Even where it does not immediately enable fraud on its own, it materially improves the quality of phishing attempts, identity checks and social engineering. For directors who have deliberately kept personal contact details separate from public business records, the exposure is especially concerning.

Why the Flaw Is So Serious

The core issue appears to have been authorisation rather than authentication. In other words, the system recognised that a user was logged in, but under certain circumstances did not properly enforce whether that user was entitled to see or amend the specific company record being accessed. That is a basic control in any system that handles private records.

Security failures of this type are serious because they are difficult to excuse. A public-facing filing platform should assume that authenticated users are still untrusted outside their own account scope. Every request for private company data should be checked against the permissions for that exact company and that exact user. If that check can be bypassed, the whole trust model breaks down.

Questions That Still Need Answers

Companies House said the issue could not have been used to extract data in large volumes or to access records systematically. That may turn out to be correct, but it is also a claim that outsiders cannot easily verify without more technical detail about rate limits, logging, monitoring and the exact conditions needed to reproduce the issue.

At the time of writing, the public information leaves several obvious questions:

• How long had the flaw been present before it was discovered?
• Exactly which fields could be viewed, and which could be altered?
• How many company records were potentially exposed?
• What logging exists to show whether data was actually viewed or changed?
• What independent assurance has been carried out since the fix?

Until those questions are answered more fully, directors are entitled to remain cautious about the extent of the incident and the adequacy of the response.

Practical Risks for Directors

The immediate practical risks are straightforward:

• Identity fraud: personal data linked to a named director can be valuable in credit applications and impersonation attempts.
• Targeted phishing: messages that reference a director's company, filing history or personal details are more believable than generic spam.
• Unauthorised changes: if records could be edited as reported, false filings or changes to company details become a real concern.
• Long-tail exposure: once personal data has been viewed or copied, the consequences can continue long after the original flaw is fixed.

What Directors Should Do Now

If you are a company director, secretary or filing agent, there are sensible steps worth taking now:

• Review your Companies House record and confirm that all company details are still correct.
• Check the email address associated with filings and change it if you suspect it has become a phishing target.
• Monitor personal and business credit files for unusual activity.
• Keep copies of suspicious emails or messages that appear to use Companies House-specific information.
• Where appropriate, look into Companies House processes for suppressing or protecting residential address information.

Accountability and Compensation

The ICO will investigate, and that process matters. However, public-sector data incidents do not always produce the kind of visible accountability many affected people expect. That is one reason directors should keep records of any suspicious activity, costs incurred or distress caused after the incident.

There may also be a route to compensation in some cases. Under UK GDPR Article 82, a person who suffers material or non-material damage as a result of an infringement may be entitled to compensation. That does not mean every affected director automatically has a claim, but it does mean the legal position should not be dismissed out of hand, particularly if evidence emerges that personal data was accessed or misused.

Summary

The Companies House WebFiling issue is significant because it undermines trust in a government system that directors are effectively required to use. The reported problem was not a theoretical weakness; it was a flaw that could let one logged-in user cross into another company's private area. Even on the most charitable reading, that is a serious security failure.

The immediate lesson is simple: if a platform holds sensitive personal and corporate data, access control has to be exact, consistent and testable. The longer-term lesson is just as important. When an incident like this happens, directors should not rely on reassurance alone. Check your records, watch for follow-on abuse, and keep evidence.