Businesses may have had their data exposed due to a hidden security issue in Companies House, which remained undetected for over five months.
Understanding the Security Issue: What Really Happened
The issue was introduced during a system update in October 2025. With a small glitch it allowed logged-in users to view private information such as directors dates of birth, residential addresses and company email addresses. In addition, there was a risk that unauthorised filings including changes to directors or company accounts, could have been submitted without the proper permissions.
Response and current status
Companies House took the WebFiling system offline on 13 March 2026 to investigate, test and resolve the issue, restoring service on 16 March. Currently, there is no confirmed evidence of widespread misuse, but investigations are ongoing and it is not yet clear whether any unauthorised access or changes were actually carried out.
How the exploit worked
What makes this incident particularly concerning is how simple the exploit could be. A logged-in user could access another company’s dashboard by selecting the “file for another company” option and then using the browsers back button in a specific sequence. This bypassed authentication controls, exposing private director information that is normally hidden from public view.
Why it matters
Even though key safeguards remained intact, the incident highlights how easily confidential business information can be exposed when a system behaves unexpectedly.
This issue also demonstrates that security risks do not always stem from external attacks. They can result from system updates, misconfigured access controls or unexpected user behaviour. These internal weaknesses can be just as impactful as deliberate intrusions and serve as a reminder that even trusted platforms used for compliance and legal obligations can contain hidden vulnerabilities.
What SMEs should do now
For directors and business owners, the most important action now is knowledge and awareness. Companies House has asked all companies to review their registered details and filing history to ensure everything is accurate and unchanged. Taking a moment to check your company profile, verify director information and confirm that all filings appear correct can help identify irregularities early.
Beware of fake emails
Remaining alert to unusual messages or unexpected communications is important, especially when confidential information may have been visible to unintended users. Following incidents like this, cybercriminals often attempt to exploit confusion. There have been reports of fake emails claiming that you must “verify your identity” with Companies House.
Proactive monitoring is a must
This incident is a reminder to stay proactive. Events like this are not only warnings but opportunities to strengthen the way you manage and monitor your own business data. Reviewing internal IT systems, refining access controls and ensuring that staff understand how to recognise unusual activity can significantly reduce risk. If your company relies on online platforms for compliance, administration or communication, taking time to check that everything is accurate, secure and up to date is always worthwhile.
How Hobb can help
If you need support reviewing your company information, assessing your IT systems or improving how your business protects sensitive data, our team at Hobb is here to help.
We will provide clear guidance and practical steps to make security more manageable for every business. To get in touch, email us at hello@hobb.co.uk or call 01782 566888.
