In a concerning turn of events, UK businesses are being advised to scrutinise their records after a significant security vulnerability on the Companies House website may have exposed sensitive information. The glitch, which allowed logged-in users to potentially access and alter the details of other companies, has raised alarms about the integrity of personal data across millions of firms.
Security Breach Uncovered
The issue came to light when John Hewitt, a professional from the corporate services provider Ghost Mail, stumbled upon the flaw. While navigating his own company’s dashboard, Hewitt inadvertently discovered that by pressing the back button multiple times, he could gain access to another company’s dashboard, revealing private information. This alarming breach was reported to Companies House and the independent think tank Tax Policy Associates, prompting immediate action from the agency.
Companies House, the government body responsible for the registration and management of limited companies in the UK, acknowledged that the security breach stemmed from an update to its WebFiling systems implemented in October 2025. The agency swiftly moved to shut down the WebFiling service on Friday after being informed, and it was back up and running by Monday, but not without a significant apology from Andy King, the chief executive.
Apology and Accountability
Andy King expressed regret over the incident, stating, “Companies House takes its responsibility to protect the data entrusted to us extremely seriously.” He confirmed that the organisation had reported the issue to the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC). King reassured the public that Companies House was committed to restoring trust and supporting those affected by the breach.
In the aftermath, Companies House revealed that specific personal data—including directors’ home addresses and dates of birth—might have been accessible to other users logged into the WebFiling system. Although there were concerns about the potential for unauthorised filings, the agency clarified that passwords remained secure and that no identity verification data, such as passport information, was compromised.
Ongoing Investigation and Guidance for Businesses
As investigations continue, Companies House is advising all business owners to take proactive measures. Companies can expect to receive emails at their registered addresses, detailing how to verify their information and the steps to take if they have any concerns. Furthermore, businesses are encouraged to report any irregularities they find, ensuring they provide evidence to support their claims.
The ICO has also confirmed receipt of Companies House’s report and is directing affected enterprises to their SME hub for further guidance. This serves as a critical reminder for all businesses to regularly monitor their official records and maintain vigilance regarding their data security.
Why it Matters
This incident underscores the crucial need for robust cybersecurity measures in an increasingly digital landscape. With millions of companies relying on online platforms for their operations, the fallout from such breaches can be far-reaching, affecting not just individual firms but also the overall trust in digital services. As the investigation unfolds, it is imperative for businesses to stay informed and take necessary precautions to safeguard their data. Restoring confidence in data management practices will be essential for protecting the privacy of companies and their stakeholders in the future.
