Caution is advised following a recently confirmed security flaw within the Companies House WebFiling service, which temporarily exposed certain personal and company information across approximately five million UK‑registered businesses.
Companies House has confirmed that the issue stemmed from a system update in October 2025, and although it was not the result of a cyber‑attack, it did allow logged‑in users, through a specific sequence of actions, to view restricted data and, in some cases, submit unauthorised filings.
Summary of the security issue
Companies House identified the WebFiling issue on Friday 13 March, taking the service offline at 1:30pm while they investigated and resolved the problem. WebFiling was independently tested and restored by 9am on Monday 16 March.
The vulnerability made the following possible for logged‑in users performing specific actions:
- Viewing data not normally publicly available, including:
- The day component of directors’ and PSCs’ dates of birth
- Residential addresses of directors and PSCs
- Company registered email addresses
- Submitting unauthorised filings, such as:
- New accounts
- Changes of director
Assurances from Companies House
Companies House has confirmed the following:
- No WebFiling passwords need to be reset.
- No identity‑verification data (such as passports or personal codes) was accessed.
- No existing filed documents (e.g., accounts or confirmation statements) could have been altered.
- Protected personal details (where protections under the Companies Act 2006 were applied) were not affected.
- They currently have no confirmed evidence that data was accessed or changed without permission or that data could have been extracted in large volumes.
Investigations remain ongoing, and the incident has been reported to both the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC).
What should you do?
Companies House has contacted companies on a precautionary basis, and PM+M recommends that all clients take the following steps:
- Check your company’s registered details
Review both:
- WebFiling, and
- The public ‘Find and update company information’ service
Confirm that:
- No unexpected filings have been submitted
- No changes have been made to company names, registered office addresses, director details, or any other statutory information
- Report anything suspicious
If you notice anything incorrect or unexpected, you are advised to email enquiries@companieshouse.gov.uk, using the subject line: “WebFiling issue”, ensuring you include:
- Company name
- Company number
- A description of your concern
The more detail you provide, the easier Companies House can investigate.
- Sign up for Companies House “follow” alerts
Companies House strongly recommends signing up to its free ‘Follow service’, which provides instant email alerts whenever a filing is made for your company. This is an effective early‑warning safeguard against unauthorised changes.
- Be alert to potential social‑engineering risks
Because certain data (such as partial dates of birth and residential addresses) was temporarily accessible, the risk of phishing emails, impersonation attempts and social‑engineering approaches may be higher than usual.
Further support
Companies House is analysing system data, and if they identify any unauthorised access or changes, they will take appropriate action. They will continue updating companies as their investigation progresses.
As a further precautionary measure, we will conduct a review of your details at the time of your next CS01 filing to ensure accuracy.
If you require assistance reviewing your Companies House records or understanding any potential risks arising from this incident further, please get in touch by emailing enquiries@pmm.co.uk or calling 01254 679131.
