A ‘security issue’ at the agency Companies House which registers companies meant that a logged-in user of its WebFiling service could access and change some elements of another companyโs details without their consent after performing a specific set of actions. It’s admitted that this issue was introduced when it updated WebFiling systems in October 2025.
It says it reported this incident to the UK data privacy watchdog the Information Commissionerโs Office (ICO) and the National Cyber Security Centre (NCSC) and is ‘actively analysing’ its data to identify any anomalies. It’s asking companies to check their registered details and filing history to make sure everything appears correct. If a company has a concern, it should contact Companies House on [email protected] using โWebFiling issueโ in the subject heading. Companies House chief exec Andy King has apologised.
It recommends companies signing up to its free Follow service. Follow sends an email alert whenever a document is filed with Companies House for any company you choose to follow โ including your own.
Comment
Jamie Akhtar, CEO of CyberSmart, described the WebFiling vulnerability as a significant incident, and the implications stretch well beyond the immediate exposure of directors’ personal data, he said. “The flaw reportedly allowed unauthenticated access to company records, meaning residential addresses, dates of birth and email addresses were accessible to anyone who knew where to look. For the directors of smaller firms, that kind of exposure creates real and immediate personal risk.
“What makes this particularly concerning is the scale of potential reach. Companies House holds records for over five million businesses. The data exposed is exactly the kind of information used to build convincing social engineering attacks, targeted phishing campaigns and identity fraud. Criminals rarely need to exploit a vulnerability themselves when publicly reported details are enough to craft credible impersonation attempts against directors and their staff.
“The risk of fraudulent amendments to company records also warrants attention. Smaller firms are less likely to have dedicated compliance resource monitoring their filings, which means unauthorised changes could go undetected for longer. As the founder of Tax Policy Associates noted, criminals are more likely to target smaller businesses precisely because the oversight is weaker. Cyber awareness among small business owners and their teams is one of the most effective ways to close that gap, particularly when the threat comes through trusted channels like official correspondence or company registration platforms.
“This incident is a reminder that publicly trusted infrastructure carries real cyber risk, and that the organisations and individuals who depend on it have limited control over how that risk is managed. For business owners, the immediate priority is to check their Companies House records and verify that no unauthorised changes have been made. Directors whose personal details may have been exposed should be alert to unsolicited contact referencing company or registration information, as this is often the starting point for follow-on attacks.”
