On Friday, 13 March 2026, Companies House became aware of a security issue affecting its WebFiling service an incident that stemmed from a vulnerability introduced during a system update in October 2025. Companies House acted swiftly, temporarily shutting down the WebFiling service, and has since verified that no passwords, identity verification data, or existing filed documents were altered during the event.
What Exactly Happened?
Under specific circumstances, a user who logged in with their own credentials could access certain parts of another company’s dashboard by following a particular sequence of actions, such as attempting to “file for another company” and then navigating back through the browser history. This behaviour first noticed by external experts rather than malicious actors—allowed limited access to non‑public information belonging to another registered company.
The flaw was not publicly exploitable. Only authenticated users with legitimate access codes could inadvertently trigger the issue. This restricted the scope of the vulnerability and prevented widescale automated extraction of data. Companies House confirmed that any access would have been limited to one record at a time and would have required deliberate interaction by a logged-in user.
Who Discovered the Vulnerability? The External Researchers Behind the Report
The issue first came to light thanks to security‑conscious individuals working in the regulatory and corporate services space. An employee of a corporate services provider originally identified the vulnerability. Their findings were instrumental in bringing the issue to wider attention, allowing Companies House to take rapid and decisive action.
What Data Was Potentially Accessed?
Companies House confirmed that specific non‑public information—details not normally shown on the public register—may have been visible to authenticated users. These included directors’ dates of birth, residential addresses, and company email addresses. Additionally, it may have been possible for a user to submit unauthorised filings, such as accounts or director changes, within another company’s records.
However, several critical safeguards remained intact:
- Passwords were not compromised.
- Identity‑verification data, such as passport information, was never accessible.
- No existing filed documents, including confirmation statements and accounts, could be altered.
- No systematic extraction of large data sets was possible.
This aligns with independent analysis categorising the incident as medium severity, largely due to the controlled nature of access and the lack of authentication‑related compromise.
How Companies House Responded
Once notified, Companies House took the WebFiling service offline at 1:30 pm on Friday, 13 March to investigate and resolve the issue. After independent testing confirmed the fix, the service was restored by 9 am on Monday, 16 March. The agency reported the incident to the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC), and began contacting registered companies to provide guidance on how to review their details.
Virtual Company Secretary: Reassurance for Our Clients
At Virtual Company Secretary Limited, we understand the seriousness of such incidents and the concerns businesses may feel when official systems experience technical vulnerabilities. That’s why we maintain constant oversight of all filings and company records for our clients.
We are pleased to confirm—based on our own comprehensive monitoring and supported by independent industry findings—that none of our clients’ data was altered, in any way, during the period of this vulnerability. Throughout October 2025 to March 2026, we tracked all filings and received no unexpected or unauthorised submissions for any company we administer. This mirrors broader professional analyses reporting no anomalous filings during the exposure window.
Our proactive systems, combined with diligent oversight, mean we can confidently assure all clients that their corporate records remain correct and are continually monitored.
Final Thoughts
The March 2026 Companies House WebFiling issue serves as a reminder of the importance of robust cybersecurity practices—even within trusted national systems. Thankfully, the vulnerability was discovered responsibly, addressed promptly, and contained effectively. For businesses, it highlights the value of having expert partners who continually monitor filings and ensure the integrity of corporate data.
Virtual Company Secretary remains fully committed to safeguarding client records and providing complete transparency and assurance—no matter what challenges arise in the broader digital landscape.