20 hours ago
Logged-in users may have been able to view and edit other companies' details, including directors' home addresses and emails, without their consent.
Companies House said it was made aware of the security issue on Friday and had resolved it by Monday. It reported no current evidence of data being accessed.
Andy King, chief executive of Companies House, apologized for the incident and confirmed it had been reported to the Information Commissioner's Office (ICO) and the National Cyber Security Centre (NCSC).
"Companies House takes its responsibility to protect the data entrusted to us extremely seriously," King said.
He added that swift action had been taken to restore the service and that the agency was committed to supporting those affected and ensuring its services continue to merit public trust.
Companies House is the official UK government agency responsible for incorporating, dissolving, and registering limited companies.
The security issue was introduced during an update to their WebFiling system—the online service used by UK company directors to submit legal documents such as annual accounts—in October 2025.
The flaw was reportedly discovered on Thursday by John Hewitt from the corporate services provider Ghost Mail, who alerted Companies House and the independent think tank Tax Policy Associates.
Hewitt found that by accessing his own company's dashboard and then attempting to view another company he did not own, pressing the back key four times allowed him to see the other company's dashboard.
Companies House closed its WebFiling system on Friday to investigate the issue.
The investigation revealed that specific data from individual companies, such as dates of birth and residential addresses, may have been visible to other users logged into the WebFiling system.
The agency also noted it may have been possible for unauthorized filings—such as accounts or changes of director—to have been made on another company's record.
However, passwords were not compromised, and data used for identity verification, such as passports, were not accessed.
No existing filed documents, including accounts or confirmation statements, could have been altered, the agency said.
An investigation is ongoing to determine what data, if any, may have been accessed or changed without permission.
An ICO spokesperson confirmed receiving a report from Companies House and advised business owners to consult their SME hub for guidance.
Companies can expect to receive an email at their registered address explaining how to check their details and what steps to take if they have concerns.
Any business with concerns is encouraged to raise a complaint and provide evidence describing the issue.
