In a startling revelation, UK companies are being urged to scrutinise their details on the Companies House platform following a significant security lapse. The glitch, which emerged last week, potentially exposed sensitive information of countless firms, including personal data of directors. With this incident raising serious concerns about data protection, businesses are now on high alert to ensure their information remains secure.
Major Security Breach Unveiled
Last Friday, Companies House acknowledged a major flaw in its WebFiling system that could have allowed logged-in users to access and edit the details of other companies without consent. This alarming breach included sensitive information such as directors’ home addresses and email contacts.
The issue was first detected by John Hewitt, a representative from the corporate services provider Ghost Mail. While attempting to view his own company’s dashboard, he inadvertently discovered that by pressing the back key multiple times, he could access another company’s dashboard. This prompted an immediate alert to Companies House and the independent think tank Tax Policy Associates.
Companies House acted swiftly, halting the WebFiling service on Friday to investigate the extent of the breach. By Monday, the agency announced that the issue had been resolved, but the ramifications could be far-reaching.
Response from Companies House
Andy King, the chief executive of Companies House, expressed sincere apologies for the incident, stating that the agency takes its responsibility to safeguard the data it holds very seriously. He noted that the security lapse had already been reported to the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC).
“Companies House undertakes to protect the data entrusted to us with the utmost seriousness,” King stated. He assured that the agency is committed to supporting those affected and to maintaining the trust placed in its services.
According to Companies House, the flaw was introduced during an update to the WebFiling system in October 2025. Fortunately, they have confirmed that while specific company data—such as dates of birth and residential addresses—may have been visible, passwords were not compromised, and critical identity verification data, such as passport information, remained secure.
Steps for Affected Companies
In light of this incident, Companies House is advising all businesses to review their details on the platform meticulously. Companies can expect to receive communication via their registered email addresses, detailing how to check their information and what actions to take if concerns arise.
The ICO has also advised business owners to consult the SME hub for guidance on addressing any potential issues. Companies with worries about their data security are encouraged to file complaints and provide evidence to support their claims.
This incident follows a series of recent security breaches involving major companies and banks. Instances where customers inadvertently accessed others’ transactions through mobile apps have heightened awareness surrounding data safety.
Why it Matters
The Companies House data breach underscores a critical vulnerability in the systems that hold sensitive information about businesses and their directors. In an era where data security is paramount, this incident raises significant questions about the robustness of existing protocols and the agencies responsible for protecting such data. The ripple effects could impact not only the companies directly involved but also the overall trust in digital platforms that manage crucial business information. As firms scramble to verify their details, it serves as a stark reminder of the importance of vigilance in safeguarding sensitive data in our increasingly interconnected world.
