A significant security vulnerability in the Companies House WebFiling system may have left the personal details of millions of UK company directors exposed for approximately five months, it has emerged.
The flaw, which was introduced during a system update in October 2025, potentially allowed logged-in users to view and modify other firms' confidential information without authorisation.
Sensitive data including residential addresses, dates of birth and email addresses could have been accessed by other registered users of the online filing service.
The breach also created the possibility for unauthorised filings, such as accounts submissions or director changes, to be made on behalf of other companies.
Companies House became aware of the issue on Friday, March 13 and shut down the WebFiling service at 1:30pm that day.
The Federation of Small Businesses has condemned the security lapse as "astonishing" in a letter to Business Secretary Peter Kyle demanding urgent action, Sky News reported.
Craig Beaumont, an FSB executive director, said: "This is a cumulative toxic combination which runs contrary to the Government's growth agenda that we all need to support."
In his correspondence with Mr Kyle, Mr Beaumont said: "Security of company directors' information should be paramount, as any breach can lead to information being used by criminals to significantly disadvantage or even put a small company out of business."
The FSB expressed particular frustration that the breach occurred despite Companies House recently imposing stricter compliance requirements aimed at preventing fraud.
The organisation also highlighted that fees had risen substantially, with software-based company incorporation costs doubling from £50 to £100.
Companies House chief executive Andy King issued an apology for the incident, acknowledging it had caused "concern and inconvenience" to businesses relying on the agency's services.
The organisation reported the breach to both the Information Commissioner's Office and the National Cyber Security Centre.
Following independent testing, the WebFiling service was restored at 9am on Monday, March 16.
LATEST DEVELOPMENTS
- Rachel Reeves announces £2.5billion investment in AI to boost UK economy
- HMRC disaster as 5.6 million Britons overpaid £3.5BILLION due to 'wrong' tax codes
- Rachel Reeves announces plan to give mayors a share of national tax revenues
Companies House emphasised that passwords remained secure and no passport data used for identity verification had been compromised.
Previously filed documents, including accounts and confirmation statements, could not have been altered, the agency confirmed.
Mr King said: "Companies House takes its responsibility to protect the data entrusted to us extremely seriously."
He added: "We have taken swift action to restore services."
The agency said the vulnerability could not have been exploited to extract information in bulk or access records systematically.
Companies House is urging all businesses to review their registered details and filing history to ensure no unauthorised changes have been made.
The agency will contact every company at their registered email address with instructions on how to verify their information and what steps to take if concerns arise.
Any firm that identifies potential issues should submit a formal complaint with supporting evidence.
The FSB has called for Companies House to write directly to all directors on the register, informing them of measures being taken to detect and reverse any unauthorised modifications.
The small business group also wants affected directors to be told how many times their accounts were accessed and what they can do to secure their information.
An ICO spokesperson confirmed receipt of the breach report and directed business owners to consult its SME hub for guidance.
Our Standards: The GB News Editorial Charter
from GB News https://ift.tt/IYhbXoD
0 Comments