Companies House was forced to suspend online filings after discovering a major security shortcoming in its systems, which allowed users to edit the confidential data of other businesses.
In an update posted at 10.25am on Monday 16 March 2026, Companies House confirmed that webfilings were closed at 1.30pm on Friday 13 March while the issue was investigated and resolved. According to the statement, the service has been independently tested and is back online as of 9am on 16 March.
The UK’s official online corporate register contains the details of more than five million companies, all of which were left vulnerable to potential fraud. The issue left logged-in webfiling users free to change the name, address, email and full date of birth of company directors. They could have also deleted or uploaded false company accounts for any company registered on the site.
According to the latest Companies House update, the vulnerability was introduced when its WebFiling systems were updated in October 2025. It is not known whether Companies House will be able to identify which company dashboards were accessed, although it confirmed it was actively looking into this and had so far received no reports of any details that had changed.
The issue is the latest in a series of IT failures that have dogged the UK’s One Login digital identity system.
Back button opens the dashboard door
The flaw did not require sophisticated technology or computer hacking skills to exploit. Users simply logged into Companies House using their own details and accessed their own company’s dashboard.
From there, they had the option to “file for another company”, where they could enter the company number for any of the five million companies registered with Companies House. The system then requested an authentication code, which the user didn’t have access to. However, pressing the site’s “back” key several times returned them to the dashboard of the company they were trying to access, not their own, without needing to enter the authentication code.
From there, the user could view personal information about the company and its director that is normally hidden from public access. They could also change details such as the company’s registered address or potentially file fraudulent accounts.
Explaining the flaw
John Hewitt, operations director at register office provider Ghost Mail, first discovered the vulnerability. He contacted Companies House but did not receive a response, so instead got in touch with tax campaigner Dan Neidle to explain the flaw.
In a video hosted on Neidle’s Tax Policy Associates website, Hewitt walked Neidle through the bug, demonstrating that he was able to view the private Companies House dashboard of ClarityDW Ltd, a digital communications consultancy owned by Jonathan Phillips (who had given the pair permission to do this).
Hewitt then viewed Neidle’s company dashboard and modified his registered address. The change of address generated a confirmation number, which was sent to Hewitt’s email (not the email address registered for the company whose details were changed).
In his Tax Policy Associates post, Neidle confirmed he couldn’t immediately see if the change was effective, because it takes around 24 hours for changes to be reflected in the dashboard – and the dashboard has now been shut down.
He stated that it seemed likely any edit could be made to a company, including filing accounts, but added this was not tested because of concerns it could be a criminal offence to do so. Using a computer to access data without permission, even without malicious intent, is an offence under the Computer Misuse Act and is punishable by up to two years in prison.
Security shutdown and GDPR responsibilities
Neidle contacted Companies House about the security flaw, and the organisation responded by shutting down the e-filing system. It was only after this was confirmed that Neidle published his story.
In the updated statement from Companies House, chief executive Andy King apologised for the “concern and inconvenience” to the companies and individuals who rely on its services.
“Companies House takes its responsibility to protect the data entrusted to us extremely seriously,” said King. “We have taken swift action to secure and restore our service, and are committed to doing everything in our power to support those affected and to making sure that our services continue to merit the trust placed in them.”
To comply with the UK’s GDPR data privacy legislation, Companies House has reported itself to the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC). It stated it is also “actively analysing” its data to identify any anomalies, and will be emailing every company’s registered email address to explain how to check their details and what steps to take if they have any concerns.
“If we find evidence that anyone has used this issue to access or change another company’s details without authorisation, we will take firm action,” continued the statement.
Companies House strongly advised all companies to check their registered details and filing history to make sure everything appears correct. If a company has a concern, it should raise a complaint and include evidence to describe the concern.
One Login’s ‘critical flaws’
The security flaw is the latest in a series of IT failures that have dogged the UK’s gov.uk One Login digital identity system.
One Login was designed to replace Government Gateway accounts as a single identity check and login system to access all central government services, with the eventual goal of all taxpayers, companies and agents accessing its services through One Login.
From 13 October 2025, users had to use One Login to sign in to their Companies House WebFiling account, and were required to verify their identity following a string of bogus company names and directors appearing on the register.
However, the system has come under scrutiny following whistleblower allegations that it exposed user data to serious risks due to critical structural flaws.
A report from web publication ID Tech stated that shortly after the system’s launch in July 2022, a whistleblower raised concerns that One Login lacked “basic governance and risk management processes”, reportedly flagging more than 500,000 system vulnerabilities, with thousands rated as “critical” or “high” severity.
One of the most serious allegations raised was the unauthorised outsourcing of development work to Romania, made without the approval of Government Digital Service (GDS) chief Tom Read or consultation with the NCSC.
Following an update from Companies House released 16 March 2026, this article has been amended to clarify that logged-in webfiling users were able to access the details, not members of the general public.