Organisations in the UK are being advised to review all data held by Companies House after they admitted to a security flaw last week.

On Friday 13 March, the UK’s official corporate register had to suspend online filing when it was found that a bug had inadvertently made directors’ personal details publicly available. Logged-in users had been allowed access to personal information linked to other organisations (including dates of birth, residential addresses and email addresses).

The vulnerability is believed to have been introduced during a system update in October 2025, and has remained in place for months before being identified. However, Companies House has been keen to stress that there is no evidence that the flaw was widely exploited, although the glitch could have potentially allowed criminals to amend company details and upload fake accounts. Access would have been limited to logged-in users viewing individual company records, rather than bulk extraction of data. They also report that passwords and identity verification data were not affected.

Once the security flaw was reported, Companies House temporarily took the WebFiling service offline while the issue was investigated. They reported today that it has now been resolved.

Organisations registered with Companies House are now advised to review their records to ensure no unauthorised changes were made during the period the vulnerability was active. For example:

• Check details and filing history on the Companies House register
• Confirm that directors’ details are correct
• Monitor for any unexpected filings or updates

Directors should also be wary of phishing and social engineering, as well as potential identity theft, due to the publishing of this more detailed personal information, which could be used maliciously by bad actors.