Companies House WebFiling flaw potentially exposed director data

Companies House has confirmed a significant security flaw in its WebFiling system that potentially exposed sensitive company data and, in certain cases, allowed unauthorised users to make changes to a company’s records.

The issue was first identified by John Hewitt of Ghost Mail and later analysed and publicised by tax policy expert Dan Neidle.

The WebFiling service was taken offline on 13th March to investigate the issue and returned online on 16th March.

System update to blame for security flaw

Companies House says that the security flaw was caused by a system update in October 2025, rather than a cyberattack.

If someone had logged on to their company account, they could, under certain conditions:

• Access data from other companies that is not normally shown on the public register, including:
  • Director and PSC full dates of birth (only the month and year are shown publicly).
  • Residential addresses
  • Registered company email addresses
• Submit filings for another company, including appointing a new director or filing accounts.

Companies House says that no existing documents could have been altered, and no ID verification data has been accessed.

Has the extent of the issue been minimised?

Companies House has said that a specific set of actions would be required to access another company’s data, and that it is unlikely this could be exploited at scale.

However, independent analysis suggests that this explanation minimises the true extent of the problem.

Tax policy expert Dan Neidle showed that the behaviour was relatively easy to reproduce.

A user could begin filing for their own company, navigate backwards and change the company number ID in the query, and end up inside that company’s private dashboard.

---

---

This is not a particularly ‘exotic’ attack, but something a curious user could do – even accidentally.

In theory, this could have applied to any company on the register – over five million in total. The data involved is not trivial either, as it includes dates of birth and home addresses. Neither appears on the public record.

More importantly, the ability to submit filings opens the door to more practical problems. A malicious user could attempt to change company details, redirect correspondence, or create confusion around ownership and control.

Companies House has said the issue dates back to an October 2025 update, which raises the obvious question of how long it had been live before it was detected.

Directors asked to double-check their data

Companies House has contacted companies via email on a precautionary basis and has advised directors to log in and review their records. You can read the update online.

This means:

• Check your company details on the Companies House register
• Make sure there are no unauthorised filings.
• Make sure all of the director, PSC and address details are still correct.

If anything looks wrong, directors are urged to contact Companies House at enquiries@companieshouse.gov.uk using “WebFiling issue” in the subject line.

You can also sign up for the “Follow” service, which will send you an email alert whenever a filing is made for a specific company.

Awkward timing during ID verification rollout

The news is bad at any time, but this system error comes at a particularly awkward moment for Companies House.

New reforms are being rolled out to secure access to the register, including mandatory identity verification for directors.

And, ironically, the aim of these reforms is to reduce fraud and improve trust in the system.

Even if there appears to be no evidence of widespread abuse, a bug which potentially allowed unauthorised access and filings is very embarrassing.

The incident has been reported to the Information Commissioner’s Office (ICO), and Companies House says it will take action if any evidence of misuse emerges.

At this stage, it says there are no confirmed cases of data being accessed or altered without permission.