The recent disclosure of a software glitch at Companies House has raised important questions about the reliability and security of the UK’s corporate register. For many business owners and advisers, this incident is a timely reminder that even core government systems are not immune from failure.
The issue centred on a flaw within the WebFiling system, which is widely used by companies and their agents to submit accounts and update statutory records. It emerged that, under certain conditions, a logged-in user could potentially access and amend elements of another company’s record without authorisation.
More concerning was the type of information that may have been exposed. This included non-public data such as directors’ dates of birth, residential addresses and company email details. In addition, there was a possibility that unauthorised filings, including changes to director information or the submission of accounts, could have been made.
Although access to the flaw required a valid login and authentication code, and was therefore not available to the general public, the simplicity of the vulnerability has been widely noted. In some reported cases, it could be triggered through basic navigation actions within a web browser, rather than any sophisticated cyber attack.
The problem appears to have originated from a system update introduced in October 2025, meaning the vulnerability may have existed for several months before being identified. Once discovered, Companies House acted quickly, taking the WebFiling service offline to investigate and implement a fix, before restoring access after independent testing.
From a practical perspective, Companies House has advised businesses to review their company records and filing history to ensure that no unauthorised changes have been made. This is sensible advice, particularly for smaller companies where internal controls may be more limited.
For accountants, the wider implications are worth reflecting on. The integrity of Companies House data underpins many areas of business life, from credit checks to due diligence and anti-money laundering processes. Any perceived weakness in that system risks undermining confidence, not just in the register itself, but in the broader regulatory framework.
At the same time, it is important to keep the issue in proportion. There is currently no confirmed evidence of widespread misuse, and key identity verification data such as passwords and passport details were not compromised.
Nevertheless, this incident highlights the importance of ongoing vigilance. Regular monitoring of company records, strong internal controls, and prompt response to anomalies remain essential. As Companies House continues its modernisation programme, maintaining trust in the accuracy and security of its systems will be critical for businesses and advisers alike.