If you tried to file through Companies House WebFiling on Friday 13 March or over the weekend that followed, you will already know the service went down. Deadlines moved, clients asked questions, and the explanation from Companies House was thin on detail. For most practices it looked like an outage. It was not.
Behind the shutdown was a security flaw that had been sitting inside the WebFiling system since October 2025. For nearly five months, every company on the UK register was exposed. All five million of them. The service is back online now, but what the flaw allowed, and for how long, demands a clear look.
What Happened & How Serious Was It?
The Companies House WebFiling flaw left logged-in users able to access the private dashboards of other companies without authorisation. Confidential director data was visible. While existing filed documents could not be altered, users could change current registration details or upload new fraudulent accounts. The exposure ran across the entire register, from small owner-managed businesses to major listed firms including Shell and AstraZeneca. Nothing about the structure of the flaw limited who was affected.
The seriousness here is not just in what was accessible. It is in how long it was accessible, and how little stood between a logged-in user and someone else’s private company data.
How Did the Flaw Actually Work?
No technical skill was required. No specialist knowledge. Any WebFiling user with a login could have done this.
The method was straightforward. A user logged into their own account and selected the option to file on behalf of another company. They entered any company number. When the system prompted them for an authentication code they did not hold, they pressed the browser’s back button several times. The security check was bypassed. They were in.
A browser back button. Five million companies. The gap between cause and consequence is what makes this incident sit apart from routine data failures. The barrier to exploitation was effectively zero.
What Could Someone Have Accessed or Changed?
Two categories of exposure, both with real consequences.
On the data side, anyone exploiting the flaw could view information held off the public register. Directors’ home addresses. Personal email addresses. Full dates of birth. Precisely the kind of information that enables identity fraud. Experts warned that access to this data in combination was sufficient to attempt identity theft or to impersonate a company for further criminal purposes.
On the filing side, an unauthorised user could have uploaded false company accounts, changed a registered address, or amended director details on the official record.
Two things were not affected. Passwords were not compromised. Identity verification data, including passport information, was not accessible. Companies House also noted that the flaw required records to be accessed one by one, making large-scale automated extraction unlikely. That limits the realistic scope of any exploitation. It does not eliminate it.
When Was It Discovered & How Was It Fixed?
The vulnerability entered the system during a routine update in October 2025. It was not caught internally. It remained live and undetected for just under five months.
The flaw was originally discovered by John Hewitt of Ghost Mail; after his initial attempts to alert Companies House received no response, he contacted tax campaigner Dan Neidle, who then reported it to the agency on Friday 13 March 2026. The same afternoon, at 1:30pm, the WebFiling service was suspended. Independent testing ran across the weekend. By 9:00am on Monday 16 March, the service was restored and secured.
Once the flaw was flagged, the response was fast. But the exposure window ran from October 2025 to March 2026. The speed of the fix and the duration of the vulnerability sit in the same sentence whether Companies House would prefer it that way or not.
Where Do Things Stand Right Now?
WebFiling is back online and the flaw is resolved. The incident is not closed.
Companies House has self-reported to the Information Commissioner’s Office and the National Cyber Security Centre. That is not a routine notification. It reflects the organisation’s own assessment that the breach carried GDPR significance and warranted regulatory attention from both bodies.
Every company on the register is being contacted by email with guidance on checking their details and what to do if they have concerns. Internally, Companies House is actively reviewing filing data across the exposure window, looking for anomalies or unauthorised changes. The investigation is running.
What Do Accountants Need to Do Right Now?
The service is back online but the work is not finished. Three things warrant immediate attention.
That is what good advisers do. They stay ahead of the questions.
