13 March: The Day Companies House Security Fell to Four Keystrokes

What Happened at 1.30pm on Friday the 13th

The security issue was identified on 13 March and Companies House WebFiling service was immediately shut down at 1.30pm last Friday. Not exactly the kind of timing that inspires confidence in systems handling the private details of 5 million registered companies.

All that was required was to log in to Companies House using your own details and access your own company's dashboard. Then opt to "file for another company" and enter the company number for any one of the five million companies registered with Companies House. Press the 'back' key a few times to return to your dashboard. Except it isn't your dashboard. It's the other company's dashboard.

Four keystrokes. That was the extent of the technical wizardry required to access another company's confidential filing dashboard. The flaw required no hacking tools or technical expertise — just a web browser and a Companies House login.

The Five-Month Window

The vulnerability hadn't appeared overnight. Investigators identified the security breach issue was introduced when we updated our WebFiling systems in October 2025. Five months. One hundred and fifty-five days of potential access to directors' dates of birth, residential addresses and company email addresses.

The WebFiling dashboard contains information that's specifically protected from public view: Residential addresses of company directors (not the service addresses shown publicly). Companies House requires directors to provide residential addresses, but only displays service addresses publicly. This vulnerability exposed the actual home addresses that are supposed to stay private.

Not just addresses. Full dates of birth, not the sanitised month-and-year versions visible on the public register. Company email addresses. The real danger isn't document tampering — it's the identity theft goldmine of combining directors' home addresses with their dates of birth.

Discovery and Disclosure

John Hewitt at Ghost Mail, a corporate services provider, discovered the flaw on March 13, 2026. He did what any responsible person would do: contacted Companies House. When that approach yielded precisely nothing, he turned to Tax Policy Associates and its founder, tax expert and transparency campaigner Dan Neidle.

Neidle's response was admirably direct. Mr Neidle said the glitch could be "very serious" if it was in place for a long time, adding it was an "absolutely insane vulnerability in how easy it is to find".

But here's the twist that would make Kafka weep: He contacted Companies House but did not receive a response, so instead got in touch with tax campaigner Dan Neidle to explain the flaw. A corporate services professional discovers a fundamental security flaw affecting 5 million companies, contacts the regulator, gets silence, and has to resort to a tax campaigner to get action.

What This Means for Your Monday Morning

Companies are urged to review their registered details and filing history to ensure their records are accurate. If a company has a concern, please contact us on enquiries@companieshouse.gov.uk using 'WebFiling issue' in the subject heading and include evidence to describe the concern.

Log into your WebFiling account and scrutinise every detail. Check filing history for any unfamiliar submissions since October 2025. Review director information for unauthorised changes. Monitor for any unusual correspondence or authentication codes you didn't request.

Contact Companies House at enquiries@companieshouse.gov.uk with "WebFiling issue" in the subject line if anything looks wrong. Watch for targeted scams — attackers with your home address and birthday can craft convincing phishing attempts.

The System Upgrade That Backfired

This incident coincides with the closure of the joint HMRC and Companies House filing service (CATO) closed on 31 March 2026. From 1 April 2026, company tax returns and annual accounts must be filed separately. Just as Companies House pushes directors toward third-party software providers, its own systems demonstrate precisely why some prefer direct government portals.

The vulnerability dates back to October 2025, when Companies House updated its systems to integrate with the GOV.UK One login, replacing the older Government Gateway. The same modernisation drive that was supposed to improve security created this vulnerability.

The company registry — which operates as an executive agency of the Department for Business and Trade — also hopes that the security incident might help justify additional spending on upgrading ageing tech. For the longer term, we are developing a case for investment to modernise our architecture and reduce risks associated with legacy applications.

Next Deadline

Existing directors and PSCs are in a transition period with a final deadline of November 2026 for identity verification. Given recent events, directors might reasonably wonder whether entrusting more personal data to Companies House systems represents prudent compliance or expensive optimism.