Companies House resolves critical security glitch in its WebFiling service

Companies House says it has resolved a glitch in its online WebFiling service that allowed registered members to view and alter data belonging to other registered companies since at least October 2025.

 

The British government’s official registrar of companies, responsible for incorporating, dissolving, and maintaining records of limited companies and LLPs, announced on Monday that it had resolved the security vulnerability in its online filing service that arose during an update process in October 2025.

 

It said the security issue enabled logged-in users to potentially access and change some elements of another company’s details. Logged-in users could view other companies’ registered addresses, email addresses, dates of birth and make changes to account details and details of directors.

 

Companies House said it learned about the security issue on Friday and immediately suspended the WebFiling service. "The service has been independently tested and is back online as of 9am on Monday 16 March," it said.

 

The registrar of companies said the security issue did not compromise users’ passwords, data used for identity verification services and logged-in users could not alter filed documents such as accounts or confirmation statements.

 

"We believe that this issue could not have been used to extract data in large volumes or to access records systematically. Any access would have been limited to individual company records, viewed one at a time by a registered WebFiling user," Companies House said.

 

The registrar said it proactively reported the incident to the Information Commissioner’s Office and the National Cyber Security Centre. It is also analysing its data to identify any anomalies, and will email every company’s registered email address to explain how to check their details and what steps to take if they have any concerns.

 

"If we find evidence that anyone has used this issue to access or change another company’s details without authorisation, we will take firm action," it added.

 

"I recognise that this incident will have caused concern and inconvenience to many of the companies and individuals who rely on our services. I am sorry for that," said Andy King, the chief executive officer of Companies House. 

 

"Companies House takes its responsibility to protect the data entrusted to us extremely seriously. We have taken swift action to secure and restore our service, and are committed to doing everything in our power to support those affected and to making sure that our services continue to merit the trust placed in them," he added.