Companies House admits security failure was live for six months
A security vulnerability which allowed Companies House users to view and change other companies’ details without their consent was live for at least the past six months, the government registry has admitted.
An investigation conducted by Companies House over the weekend has found that the security failure was introduced in an October 2025 update to the system, with the body first being alerted to the issue on Friday.
The incident has now been reported to the Information Commissioner’s Office and the National Cyber Security Centre, Companies House said.
The registry has insisted that no passwords were compromised and that no data used as part of identity verification process, such as passport information, was accessed.
The vulnerability could not have been used to extract data in large volumes or to access records systematically, Companies House said, because any access would have been limited to individual company records, viewed one at a time by a registered user.
The registry said it had not yet had any reports of data being accessed or changed without permission, but invited users to check their registered details to make sure they had not been altered.
Companies House chief executive Andy King said: “I recognise that this incident will have caused concern and inconvenience to many of the companies and individuals who rely on our services. I am sorry for that.
“Companies House takes its responsibility to protect the data entrusted to us extremely seriously. We have taken swift action to secure and restore our service, and are committed to doing everything in our power to support those affected and to making sure that our services continue to merit the trust placed in them.”
Companies House suspends filing
Companies House suspended the filing service temporarily on Friday as a result of the glitch.
“We apologise for any inconvenience to our customers.”
It has also urged customers that they will miss their filing deadline that there is “no need” to contact the register.
“File as soon as you can once the service is available, and take a screenshot of any error messages and note the time and date. We’ll take this evidence into account if you cannot file.”
Tax expert Dan Neidle, who first noticed the glitch, said: “Companies House has always had a problem with false filings.
“But one thing everyone relied upon was the sanctity of the records: that only the company itself could file them.
“This incident calls that assumption into question.”
The registry has now confirmed that the filing service was reopened on Monday morning.
The Computer Misuse Act 1990 dictates that unauthorised access to computer material warrants a maximum prison sentence of two years. The penalty increases to up to five years for accessing data with the intention to commit further offences, such as fraud.