Companies House has begun emailing every company’s registered address between Tuesday 17 March and Thursday 19 March 2026 after confirming a security issue in its WebFiling service. Directors should treat this as a live control failure and check their company records today. (gov.uk)
According to a statement from Chief Executive Andy King, the issue was identified on Friday 13 March. WebFiling was taken offline at 1:30pm that day, independently tested over the weekend, and restored at 9:00am on Monday 16 March. Companies House says the problem was introduced during an October 2025 system update and could only be triggered by a logged‑in user performing a specific set of actions. (gov.uk)
What might have been visible or actioned? Companies House confirms some data not normally on the public register - the day element of dates of birth, residential addresses for directors and PSCs, and registered company email addresses - may have been seen. It may also have been possible to submit filings, including accounts or director changes, without consent. Passwords and identity‑verification data were not accessed, and existing filed documents could not be altered. The registrar also says mass data extraction was not feasible. (gov.uk)
The email to companies asks directors to confirm nothing has changed on their record and to review filing histories using both WebFiling and the Find and update company information service. If anything looks wrong, Companies House asks you to contact enquiries@companieshouse.gov.uk with ‘WebFiling issue’ in the subject and include your company name and number. (gov.uk)
Start with a rapid triage. Review your public filing history and director/PSC details and confirm no unexpected submissions were made between Friday 13 March and Monday 16 March. In WebFiling, check your Recent Filings view for activity in the last 10 days and make sure your registered email address is the one you control. Cross‑check changes against board minutes and prior instructions. (ewf.companieshouse.gov.uk)
Turn on ongoing surveillance. Companies House recommends using the free Follow service, which sends instant email alerts whenever a document is filed on your company. Enrol via Find and update company information and select ‘Follow this company’ on your company page so you are notified the moment anything changes. (gov.uk)
Tighten your filing perimeter. If you are not already enrolled, use the Protected Online Filing (PROOF) scheme to block paper submissions for key forms - a common attack route in hijacks - and keep your authentication code out of email. Review who has authority to file on your behalf and remove dormant companies from your WebFiling account. Companies House also advises using the same email for your WebFiling and Find and update accounts to reduce confusion during the move to GOV.UK One Login. (ewf.companieshouse.gov.uk)
If you spot an unauthorised change, raise a complaint with Companies House and include evidence so the registrar can investigate and, where appropriate, reverse or annotate the record. If you believe personal safety is at risk because a home address was exposed, consider applying to restrict disclosure of your details on the register under the Companies Act 2006. (gov.uk)
Agents and outsourced company secretaries should not sit on this. Companies House says third‑party agents receiving the notice must forward it to directors for all client companies. Directors should ask their agent to confirm a clean review of filing histories and to evidence removal of any entities the agent no longer serves. (gov.uk)
Context matters. In March 2024, Companies House had to rectify hundreds of erroneously satisfied charges after misuse of WebFiling by a third party, underlining why real‑time monitoring and PROOF are not optional hygiene for boards. Today’s flaw is different in nature, but the governance lesson is the same: record‑keeping at Companies House warrants board‑level oversight. (dlapiper.com)
Companies House says it has notified the ICO and the National Cyber Security Centre and will provide further updates. Meanwhile, expect phishing attempts piggy‑backing on the incident. Treat any unexpected message with caution and verify the sender domain ends in .gov.uk; when in doubt, report suspected scams to Companies House using its published guidance. (gov.uk)