Companies House WebFiling Investigation: Further Update Published
Five-month WebFiling vulnerability exposed directors' personal data and may have enabled unauthorised company filings. Investigation ongoing with ICO and NCSC involvement.
Companies House has published a significant update to its ongoing investigation into a critical security vulnerability affecting the WebFiling service. The vulnerability was introduced during a system update in October 2025 and remained undetected until 13 March 2026, when the service was taken offline for emergency remediation and independent security testing. The service resumed on 16 March following the completion of those tests.
During the exposure window of approximately five months, a logged-in WebFiling user could exploit the vulnerability to access and modify details belonging to any other company without using that company's authentication credentials. The affected data included sensitive personal information such as directors' dates of birth, residential addresses, and company email addresses.
WHAT YOU NEED TO DO
Log in to WebFiling immediately and conduct a complete audit of all filings submitted between October 2025 and 16 March 2026 for any entries you do not recognise. Cross-check the public Companies House register to verify the accuracy of all registered details. If you identify any unexpected filings, contact Companies House at enquiries@companieshouse.gov.uk with subject line "WebFiling issue."