The security flaw was discovered on Friday 13 March. Services were suspended and restored on 16 March, but companies are advised to check their records.
On Friday 13 March 2026, Companies House halted its online WebFiling service after a user identified a serious security issue that could have allowed individuals to alter confidential information belonging to other companies.
The issue meant that users logged in through a Gov.UK One Login account may have been able to modify certain aspects of another company’s information without authorisation. In response, Companies House immediately suspended WebFiling while it investigated and resolved the problem.
Following testing and remediation, the service was restored at 9am on Monday 16 March 2026.
In a statement, Companies House said the service has now been independently tested and is operating normally. Chief Executive Andy King also acknowledged that the incident may have caused concern to companies and individuals who rely on the service.
Companies House said:
“On Friday 13 March, Companies House was made aware of a security issue with our WebFiling service. We closed the service while we investigated and resolved the issue. The service has been independently tested and is back online as of 9am on Monday 16 March.
“We recognise that this incident will have caused concern and inconvenience to many of the companies and individuals who rely on our services. Companies House takes its responsibility to protect the data entrusted to us extremely seriously and we have taken swift action to secure and restore our service and are committed to doing everything in our power to support those affected.”
What was not affected
Companies House has confirmed that several key areas of data were not impacted by the issue. These include:
-
Passwords, which were not compromised
-
Data used in the Companies House identity verification process, which was not accessed
-
Previously filed information, such as accounts, which could not be altered
What may have been affected
Companies House has said that some information could potentially have been accessed by users logged into WebFiling. This may include:
-
Personal data that is not usually visible on the public register, such as full dates of birth, residential addresses and company email addresses
-
The ability to file new information, such as accounts or changes relating to directors
However, Companies House has stated that it does not believe large volumes of data were accessed, extracted or filed during the period in question.
What companies should do
Companies House is advising all companies to review their records and filing history to ensure that no unexpected changes have been made.
Companies will also receive an email from Companies House at their registered address with further guidance.
Advice for bookkeepers
For bookkeepers, this incident highlights the importance of maintaining oversight of clients’ company records.
ICB welcomes the swift action taken by Companies House once the issue was identified. However, responding quickly to a problem is not the same as preventing one in the first place. Concerns around potential weaknesses in the Gov.UK One Login system have previously been raised by technology publications.
ICB recommends that members respond to the email from Companies House and check both their own records and those of their clients to ensure that no unexpected changes have been made.
Members should also encourage clients to sign up for Companies House alerts so they are notified quickly if any filings or changes are made.
Automation and digital tools continue to play an important role in modern compliance systems. But while technology can improve efficiency, oversight remains essential. Human judgement continues to be the most effective safeguard when it comes to protecting business data and maintaining trust in the system.
