In a shocking turn of events, UK businesses are being urged to scrutinise their records on Companies House following a significant security breach that may have compromised the personal information of countless firms. The glitch allowed logged-in users to view and even modify sensitive details, including directors’ home addresses and email addresses, without any authorisation. While Companies House has acted swiftly to resolve the issue, the potential ramifications for business owners are far-reaching.
A Major Security Flaw Uncovered
The trouble began when Companies House updated its WebFiling systems—an online platform for submitting vital legal documents—back in October 2025. The vulnerability was discovered by John Hewitt, a representative from the corporate services provider Ghost Mail. He stumbled upon the flaw when attempting to access his own company’s dashboard; after pressing the back key multiple times, he found himself able to view another company’s information. Alarm bells rang as he reported this serious oversight to Companies House and the independent think tank, Tax Policy Associates.
In response, Companies House acted promptly, suspending the WebFiling system on Friday to investigate the breach. By Monday, they announced that the issue had been resolved, although they are still conducting a thorough examination to ascertain whether any data was accessed or altered without permission.
Apology and Assurance from Companies House
Andy King, the Chief Executive of Companies House, extended his apologies for the distress caused by this incident. He reassured the public that the agency takes its responsibility to safeguard sensitive information very seriously. King confirmed that the incident had been reported to the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC). “We have taken swift action to restore the service and are fully committed to supporting those affected,” he stated.
It’s important to note that while specific personal data—like dates of birth and residential addresses—may have been visible to other users, passwords and identity verification information, such as passports, remained secure. No existing documents, including accounts or confirmation statements, were altered during this period.
Guidance for Affected Businesses
In light of this breach, Companies House is advising all businesses to check their records thoroughly. Companies can expect to receive emails at their registered addresses with detailed instructions on how to verify their information and what steps to take if they have concerns. Business owners are encouraged to visit the SME hub for additional support and guidance.
For those who suspect that their information may have been compromised, Companies House is urging them to file a complaint and provide any relevant evidence to bolster their case.
Looking Back at Previous Incidents
This isn’t the first time sensitive information has been exposed due to lapses in security. Earlier this year, apps from Lloyds, Bank of Scotland, and Halifax inadvertently displayed transactions of other users. Similarly, a 2024 hack on Transport for London affected around 10 million individuals. Each incident serves as a stark reminder of the importance of robust cybersecurity measures in an increasingly digital landscape.
Why it Matters
The implications of this breach extend beyond the immediate concerns of data exposure. It highlights vulnerabilities within critical systems that handle sensitive information and raises questions about the adequacy of cybersecurity measures in place. For businesses, trust is paramount; a breach like this can lead to a loss of confidence among customers and partners alike. As companies strive to navigate a digital-first world, the need for vigilance in data protection has never been more pressing.
