Companies House, which manages the UK's register of all businesses and their directors, temporarily shut down its WebFiling service on 13 March following reports that hidden company details could be seen and modified. The incident, which lasted from Friday afternoon through to Monday morning, exposed a fundamental failure in how critical government systems are tested before deployment.
The exposed data included dates of birth, residential addresses, and company email addresses, and it may have been possible for unauthorised filings such as accounts or changes of director to be made on another company's record. With over five million UK companies on the register, the scale of potential exposure was enormous. Yet the vulnerability appears to have lurked undetected since October 2025 when system upgrades were rolled out.
The mechanism was embarrassingly simple. A logged-in company director could exploit the flaw by starting from their own dashboard and then trying to log into another company's account. Rather than being blocked after entering incorrect credentials or encountering two-factor authentication, users who clicked the browser back button repeatedly would find themselves viewing someone else's private information. This is not a sophisticated attack requiring specialist knowledge. Any user with basic browser familiarity could stumble onto it.
An internal investigation revealed that changes made to the WebFiling platform in October 2025 introduced the unexpected behaviour, but attention was first drawn to it on 13 March by tax professional Dan Neidle. Neidle, founder of Tax Policy Associates, published a video on social media depicting how the flaw could be abused to access other companies' data. The irony that a flaw went unnoticed for months before a private sector professional exposed it publicly should concern anyone overseeing government digital investment.
Defending the response, Companies House stated it believed the issue could not have been used to extract data in large volumes or to access records systematically, with any access limited to individual company records viewed one at a time by a registered WebFiling user. This provides some reassurance about the practical scale of potential damage, though it does not excuse the failure to catch the bug during testing.
The regulatory response now moves into sharper focus. Companies House has reported the incident to the Information Commissioner's Office (ICO) and the National Cyber Security Centre (NCSC), and is actively analysing data to identify any anomalies, with plans to email every company's registered email address to explain how to check their details. Under UK data protection law, organisations must notify affected parties of any high-risk breach without undue delay.
There are also legitimate questions about the government's broader digital modernisation programme. From 13 October 2025, users had to use One Login to sign in to their Companies House WebFiling account, required to verify their identity following a string of bogus company names and directors appearing on the register. While the intent to prevent fraud was sound, the execution appears to have introduced the very security flaw that created this crisis. Systems integration of this magnitude demands rigorous testing against real-world scenarios, not just laboratory conditions.
Business groups have responded with alarm. The Federation of Small Businesses described the situation as a "shocking breach" that could undermine trust in the system designed to protect corporate information, with its communications director saying many small companies would question the value of the fees they pay to Companies House and that the incident should halt plans for further fee increases.
The practical impact for business is real. Companies House has stated that if it finds evidence anyone used this issue to access or change another company's details without authorisation, it will take firm action. Until the investigation concludes, every company director must now assume their personal information may have been viewed, and they face the burden of checking their records for fraudulent alterations.
The fundamental issue here transcends Companies House. When government agencies deploy systems that hold sensitive data on millions of people, testing and quality assurance cannot be an afterthought. The fact that a security flaw of this magnitude went undetected for five months raises uncomfortable questions about whether adequate safeguards exist before critical digital infrastructure goes live. This incident deserves to be a reckoning moment for how government agencies approach digital transformation.