Firms urged to check if other users edited their data on Companies House

Logged-in users may have been able to view and edit other companies' details, including directors' home addresses and emails, without their consent.

Companies House said it was made aware of the security issue on Friday and it had been resolved by Monday. It said it had no current reports of data having been accessed.

Andy King, chief executive of Companies House apologised for the incident and said it had been reported to the Information Commissioner's Office (ICO) and the National Cyber Security Centre (NCSC).

"Companies House takes its responsibility to protect the data entrusted to us extremely seriously," King said.

He added they had taken "swift action" to restore the service, and were committed to doing everything "to support those affected" and make sure their services "continue to merit the trust placed in them".

Companies House is the official UK government agency responsible for incorporating, dissolving, and registering limited companies.

According to the organisation, the security issue was introduced when it updated their WebFiling systems - the online service by which UK company directors submit legal documents such as annual accounts - in October 2025.

The flaw was reportedly discovered on Thursday by John Hewitt from the corporate services provider Ghost Mail, who alerted Companies House and the independent think tank the Tax Policy Associates.

Hewitt discovered that by going to his own company's dashboard and trying to view another which he didn't own and pressing the back key four times, he was suddenly able to see the dashboard of the other company.

Companies House said it closed its WebFiling system on Friday while it investigated the issue.

Its investigation found specific data from individual companies such as dates of birth and residential addresses may have been visible to other users logged into the WebFiling system.

The agency added in its update it may also have been possible for unauthorised filings — such as accounts or changes of director — to have been made on another company's record.

But it said passwords had not been compromised, and data used for identity verification process such as passports had not been accessed.

No existing filed documents, such as accounts or confirmation statements could have been altered, it said.

An investigation into what data - if any - may have been accessed or changed without permission is ongoing.

An ICO spokesperson confirmed it had received a report from Companies House and advised business owners to look at their SME hub for advice.

Companies can expect to receive an email to their registered email address which will explain how to check their details and what steps to take if they have any concerns.

Any business with a concern is asked to raise a complaint and include evidence to describe it.