Companies House has admitted a technical error which meant users could view and make unauthorised changes to the records of other businesses and directors began last October.
The bug, discovered last week by John Hewitt from Ghost Mail, allowed logged in users to see the details of other businesses simply by pressing the ‘back’ button on their keyboard. Five million businesses are registered with Companies House.
Hewitt told Dan Neidle, founder of Tax Policy Associates, who published a video showing that changes could be made to records.
I see some weird things but this takes the biscuit. A vulnerability in the Companies House website, that let anyone view the private dashboard of any one of the five million registered companies, see directors’ personal details.
And modify them. pic.twitter.com/pl1JvsQFHp
— Dan Neidle (@DanNeidle) March 13, 2026
On Friday, Companies House temporarily suspended the online accounts filing service and on Monday it issued a statement from CEO Andy King saying that the technical issue was introduced when it updated the WebFiling systems in October 2025.
“Specific data from individual companies not normally published on the Companies House register may have been visible to other logged-in WebFiling users,” the statement said.
“This includes dates of birth, residential addresses and company email addresses. It may also have been possible for unauthorised filings — such as accounts or changes of director — to have been made on another company’s record.”
It said passwords were not compromised, identity verification information such as passport details could not be accessed and no existing filed documents, such as accounts or confirmation statements, could have been altered.
Companies House has reported the incident to the Information Commissioner’s Office and the National Cyber Security Centre, and it urged “all companies to check their registered details and filing history to make sure everything appears correct”. Concerned businesses should raise a complaint.
Commenting on the statement, Dan Neidle said:
“Five months is a long time for a vulnerability this serious to remain live. Research suggests that newly discovered vulnerabilities are, on average, exploited within 15 days.
“The security experts we spoke to thought that, if the exploit had been live for longer than a few days, then there was a high chance that bad actors had discovered it.”
Liam Byrne MP, chair of the House of Commons Business and Trade Committee, has written to Andy King and asked him to provide answers to questions covering areas including whether Companies House only became aware of the bug after being contacted by Tax Policy Associates, if unauthorised third parties were able to make permanent changes to company information and which failed internal security controls caused the bug.