The United Kingdom’s corporate registry, Companies House, temporarily shut down its WebFiling service after identifying a security vulnerability that could have allowed certain logged-in users to access or modify limited information belonging to other companies. The issue was discovered on Friday, March 13, prompting an immediate investigation and a temporary suspension of the online filing platform.

Andy King, Chief Executive of Companies House, issued a statement outlining what happened, what data may have been exposed, and the steps being taken to address the incident. The service was restored after additional testing and security checks.

Discovery of the WebFiling Vulnerability

Companies House became aware of the issue on March 13 when it was discovered that users logged into the WebFiling system could potentially access or modify certain elements of another company’s information by performing a specific sequence of actions within the platform.

Importantly, the vulnerability was not accessible to the general public. Only users who were already logged in with an authorised company authentication code could potentially exploit the flaw.

As a precaution, Companies House suspended WebFiling access at 1:30 p.m. on March 13 while technical teams investigated the issue. Following remediation and independent security testing, the service was brought back online at 9:00 a.m. on Monday, March 16.

WebFiling is widely used by UK businesses to submit statutory documents such as annual accounts, director updates, and confirmation statements to the official company register.

What Data May Have Been Exposed

According to the investigation so far, certain sensitive information that is not normally displayed on the public Companies House register may have been visible to other logged-in WebFiling users.

This information could have included:

• Dates of birth of company officers
• Residential addresses
• Company email addresses

There was also a possibility that unauthorised filings — such as submitting company accounts or making changes to director information — could have been made on another company’s record.

However, Companies House emphasized that several critical systems and data categories were not affected.

Data That Was Not Compromised

The agency confirmed that the following data remained secure:

• User passwords were not exposed or compromised
• Identity verification data, including passport information, was not accessed
• Previously filed documents — such as annual accounts or confirmation statements — could not be altered

Investigators also believe the vulnerability could not have been used to extract data on a large scale or to systematically access multiple records.

Any potential misuse would have required a logged-in WebFiling user to view company records individually, one at a time.

Cause Linked to October 2025 System Update

Preliminary findings suggest the issue may have been introduced during a system update to the WebFiling platform in October 2025.

Companies House is continuing to review its systems and analyze data logs to determine whether the vulnerability was used to access or modify company information.

Authorities Notified and Ongoing Investigation

Companies House has reported the incident to both the UK’s data protection regulator and national cybersecurity authority.

These include:

• The Information Commissioner’s Office (ICO), which oversees data protection and privacy regulations in the UK
• The National Cyber Security Centre (NCSC), the government agency responsible for cyber threat response

The agency is also reviewing system data to identify any irregular activity that may indicate unauthorized access or filings.

Companies House said it will take “firm action” if evidence emerges that the vulnerability was exploited.

Guidance for UK Companies

Companies House is advising all registered companies to review their filing history and corporate information on the official register.

Businesses should confirm that:

• Company details remain accurate
• No unexpected filings have been made
• Director or officer information has not been altered

If companies identify suspicious changes or discrepancies, they are encouraged to submit a formal complaint and provide supporting evidence.

Companies House will also contact companies directly by email, using the registered email addresses on file, with instructions on how to verify their records and report concerns.

Transparency and Next Steps

At the time of the announcement, Companies House said it had not received any reports confirming that company data had been accessed or altered without permission.

However, the investigation remains ongoing, and further updates are expected as the review progresses.

The agency also plans to publish a dedicated information page addressing frequently asked questions and providing additional guidance for businesses.

Apology From Companies House

Andy King acknowledged that the incident may have caused concern among UK businesses and individuals who rely on the government registry.

He apologized for the disruption and emphasized that protecting company data remains a core responsibility of the agency.

Companies House stated it acted quickly to secure the system, restore the service, and ensure that businesses can continue filing documents with confidence.

As the UK’s central corporate registry — holding records for more than five million companies — the organization said it remains committed to maintaining the integrity and trustworthiness of its services.