Companies House security incident exposes millions of directors' personal data

Companies House has restored its online filing service following a major security breach that exposed the personal data of millions of directors. A bug in the WebFiling system allowed logged-in users to access and potentially alter confidential company records, including residential addresses, full dates of birth, and email addresses. The vulnerability was easily exploited by entering a company number and repeatedly pressing the browser's back button, which bypassed authentication and granted access to unauthorised filing dashboards.

The incident, which may have originated during a system update in October 2025, went undetected for approximately five months before being identified by tax experts and reported to the registry. Companies House suspended the service on Friday, 13 March, to investigate the scale of the exposure and returned it to operation on Monday, 16 March.

While large-scale data extraction was unlikely due to the manual nature of the exploit, the organisation is checking its systems for anomalies. Companies House confirmed that identity verification data and passwords remained secure during the incident.

£ - This article requires a subscription.

A version of this article is available without subscription in Infosecurity Magazine.

Training Announcement: Freevacy offers a range of independent data protection qualifications from IAPP and BCS. Our certified courses are available at foundation and practitioner levels and cover multiple legal jurisdictions, data protection operations management, and the implementation of complex privacy solutions in technical environments. Find out more.