Companies House, the UK’s official registrar of companies, has identified a security issue within its WebFiling service that may have allowed users to access and modify company information belonging to other entities. The issue was introduced during a system update in October 2025 and remained active until March 2026, when it was discovered and resolved.
While there is currently no evidence of widespread abuse, the nature of the issue means that certain nonpublic company data may have been visible and, in some cases, records could have been altered without authorization. Given that Companies House serves as an official source of company records in the UK, organisations should take steps to verify the accuracy of their filings and assess any potential impact.
Incident Details
The issue affected the Companies House WebFiling platform, where a logic flaw allowed authenticated users to access records beyond their authorized scope. This could potentially enable:
- Viewing of nonpublic company information, including director dates of birth, residential addresses, and company email addresses
- Unauthorised updates to company filings, including director details and other statutory information
Companies House has clarified that the following data was not impacted:
- Passwords
- Identity verification data (e.g., passport information)
- Existing filed documents (such as accounts or confirmation statements)
The issue was not accessible to the public and required a logged-in user with an authorization code. Any potential access would have been limited to individual company records rather than large-scale data extraction.
Actions to Take
Given that FCA-regulated firms, as well as the FCA itself, rely on Companies House data, ensuring the accuracy and integrity of these records is critical from a compliance and reporting perspective. FCA-regulated firms must check, amend, and confirm firm details each year within 60 business days of the firm’s financial year-end.
The FCA notes on its website that firms registered with Companies House should ensure their registered name, office address, and financial year-end date are current and accurate.
To confirm the integrity of company records and reduce potential risk, ACA recommends the following steps:
- Review company filings and records: Verify that all information held on Companies House is accurate and reflects your organization’s current structure.
- Check for unauthorised changes: Pay close attention to director details, registered addresses, and recent filings that may not have been initiated internally.
- Cross-check against internal records: Validate Companies House filings against internal documentation to ensure consistency and completeness.
- Prepare a response plan: Ensure there are clear procedures to investigate and correct unauthorized filings, including escalation to legal and compliance teams, where required.
- Monitor for updates: Stay alert for further communications or guidance from Companies House and relevant UK authorities. If you do find discrepancies, consider raising a complaint through the Companies House official channels for the best resolution.
How ACA Can Help
ACA supports organizations in assessing the impact on regulatory reporting and governance processes, validating company records, and identifying discrepancies. As your strategic partner, we help strengthen internal controls and third-party risk management practices to address risks associated with reliance on external data sources.
Contact an ACA expert to assess your risk exposure.