A serious security flaw has been discovered at Companies House, which means those in charge of maintaining records should check the current information.

Having commenced an extensive exercise to validate the ID of directors and Persons with Significant Control, Companies House suffered a serious flaw in security last week. The vulnerability, which affects the online WebFiling system, has raised concerns about unauthorised tampering of company records. 

The vulnerability

The Companies House WebFiling system was compromised shortly after it was updated in October 2025, allowing any logged-in Companies House user to gain unauthorised access to the WebFiling system, view personal data which is not publicly available, and make alterations to some company records for other companies. As a precaution, Companies House stopped all filings on the system on Friday 13 March. A recent update has been issued, confirming that the WebFiling system has now been tested and approved for new filings to be accepted (16 March 2026).  Reports to the Information Commissioner’s Office and the National Cyber Security Centre have been made by Companies House. 

However, Companies House do not know exactly what records have been accessed or changed.  It has been reported that some company directorships could have been altered and personal data not normally published (e.g. dates of birth, addresses) was capable of being viewed without authorisation. However, Companies House has assured users that company accounts, confirmation statements and documents which were already filed have not been modified. 

We realise this security flaw will present a concern for clients managing entities using the WebFiling system, and that clients will want assurance that the records for their entities have not been modified without authorisation. 

Recommended actions

Following recommendations from Companies House, we suggest all those in charge of governance and anyone managing a company on the Companies House website, check the entries for all the relevant companies and organisations, including all the listed directors, persons with significant control and company charges, to confirm that the current records match your expectations.  You may also want to remain vigilant and watch for any further alterations to your records in the upcoming days.  Companies House will be contacting the registered email address for every company to provide guidance on checking each company record. 

We are not yet aware if the vulnerability has affected any entities which are registered on another register (e.g. the FCA Mutuals Register).  However, as some of these organisations are listed on the Companies House website and will perform some filings at Companies House, we suggest that these registers are checked as a precaution. 

If you find an error on your company’s records page or discover that information has been read by third parties, you should note this and raise a complaint with Companies House here.  If you have concerns about how this has affected your organisation, please contact Ben Pumphrey, head of data governance, or your usual AC contact.