UK small businesses are being asked to check their Companies House details after a security issue in the WebFiling service exposed a narrow but uncomfortable risk: some logged-in users may have been able to see private company data or submit unauthorised filings on another company’s record.
Companies House says the issue was identified on Friday 13 March, WebFiling was taken offline that afternoon, and the service returned on Monday 16 March after independent testing. It is now emailing every registered company address with advice on what to check. At the time of writing, it says it has no reports of data being accessed or changed without permission, but the investigation is still ongoing.
That means this is not a reason to panic, but it is a sensible moment for business owners, directors and office managers to do a quick housekeeping check. For smaller firms, the risk is not just data exposure. It is the admin mess, fraud risk and wasted time that can follow if a filing history or company details look wrong.
What happened
According to Companies House chief executive Andy King, the issue meant that a logged-in WebFiling user with an authorised code could potentially access and change some elements of another company’s details after carrying out a specific set of actions. This was not open to the general public, and Companies House says it could not be used to pull data at scale or systematically browse records in bulk.
The organisation says data that may have been visible included dates of birth, residential addresses and company email addresses that are not normally shown on the public register. It also says unauthorised filings, including accounts or changes of director, may have been possible on another company’s record.
Companies House has also been clear on what was not affected. Passwords were not compromised, identity-verification documents such as passport data were not accessed, and already-filed documents such as accounts or confirmation statements could not be altered retrospectively.
Why this matters for SMEs
For a large business, checking filing records may be another compliance task on a longer list. For a small business, it is often one more job for the owner or a stretched admin lead who is already covering payroll, suppliers, invoicing and customer issues.
That is why incidents like this matter even when the practical risk appears limited. If the wrong contact details appear on the register, if a filing is made that you did not authorise, or if sensitive details have been exposed, the consequences can be time-consuming and distracting. There is also the possibility of follow-on scam activity if criminals try to exploit confusion around an official security notice.
In that sense, this sits alongside other back-office resilience issues we have covered before. When systems fail or access goes awry, the direct technical problem is only half the story. The knock-on admin burden, fraud concern and interruption to routine can be just as costly, as we saw in our earlier piece on the Lloyds, Halifax and Bank of Scotland app glitch.
What businesses should check now
The practical advice from Companies House is straightforward: check your registered details and filing history to make sure everything looks correct. For most SMEs, that means taking a few minutes to review the company record, confirm the main contact details are accurate and make sure no unexpected filing or officer change has appeared.
It is also worth checking who inside the business has access to WebFiling credentials or authentication codes, and whether that access is still appropriate. If codes are stored in shared documents, inboxes or old handover notes, now would be a good time to tighten that up.
Because Companies House is emailing registered company addresses between 17 and 19 March, businesses should also be alert to opportunistic phishing. If a message about this issue creates urgency, asks for unusual information or sends you somewhere unexpected, pause and verify it carefully before acting.
If you do spot anything wrong, Companies House says firms should contact enquiries@companieshouse.gov.uk using the subject line WebFiling issue and include evidence explaining the concern.
The practical takeaway
This looks like a contained but serious admin-security issue rather than a mass data breach. Even so, it is relevant to almost every incorporated small business in the UK because the safest response is a simple one: check your company record, review your filing history and make sure access to WebFiling is properly controlled.
For many SMEs, that will be a 10-minute job. That is probably time well spent.
Sources
- Companies House, Email to registered companies about the WebFiling security issue, published 17 March 2026
- Companies House, Update on Companies House WebFiling security issue, updated 18 March 2026
