Companies House published a statement on 16/3/26 confirming that a security issue (discovered on 13/3/26 but ongoing since October 2025 following a Companies House system update) had allowed users of their WebFiling service to access non-publicly available company and director personal data, such as dates of birth and home addresses, of other companies without their consent. It also appears that such people may have been able to make unauthorised filings (such as accounts or changes of director) on behalf of other companies or make changes to their details without their knowledge.
The issue was not discovered by Companies House during routine security checks but by somebody who brought it to the attention of Dan Neidle at Tax Policy Associates Ltd who reported it to Companies House, which immediately shut down their system until the issue was fixed. Full details of the discovery can be read on his website here, with the most astonishing revelation being that the vulnerability could be exploited simply by pressing the “back” button a few times!
Nobody knows yet whether the vulnerability has been exploited by criminals, and the Companies House statement appears to play such concerns down, but 5 months from October to March is a long time, so in all likelihood it will have been. Companies House are looking into whether they can identify affected companies/ directors etc. They have also written to the registered email addresses of all Companies registered with them advising them to check their registered details and filing history to make sure everything looks correct and to let them know if there are any anomalies. They have confirmed that passwords don’t need to be reset and that no ID verification data, such as passport information or personal codes, have been accessed.
What the Companies House statement does not address is the impact this may have on law firms and their use of Companies House data for AML/ KYC purposes. Whilst the Money Laundering Regulations make it clear that Companies House should not be relied upon solely for the purposes of verifying the identity of beneficial owners (and this is a helpful reminder to pay heed to Regulation 28(9)), the data is used by firms and electronic verification providers up and down the country to assist with KYC checks. It is possible that data relied upon since October 2025 was not in fact reliable and therefore you may not have satisfied your AML obligations.
Recommended action
- Immediately check that any details held by Companies House, and any filing history, are correct.
- If you have any concerns that they may have been tampered with, contact Companies House immediately on enquiries@companieshouse.gov.uk.
- In terms of your clients, we recommend that you consider taking the following steps:
- Review a sample of the clients you onboarded during the period October 2025 to 16/3/26 (and possibly all higher risk clients and matters onboarded during that period) and check the details you have from multiple sources. (In an ideal world you might want to re-do all onboarding checks during that period where Companies House data was relied upon. However, until such time as formal guidance is provided, it is for you to decide what action is appropriate, taking a risk-based approach).
- Contact your potentially affected clients and ensure they have followed steps 1 and 2 above.
- Consider where else you have relied on Companies House data over the last 5 months, for example when acting on transactions involving corporate entities, and consider a review of those cases.
- If you have any concerns that you may have assisted in a transaction based on fraudulent Companies House information, consider making a suspicious activity report to the NCA.
- Look out for any further guidance from Companies House, the Information Commission (to whom Companies House have reported the data breach), and hopefully guidance from the SRA and/ or Law Society as to how firms should respond.