Companies House is emailing every company’s registered email address between Tuesday 17 March and Thursday 19 March 2026 following the identification of a WebFiling security issue on Friday 13 March. The agency took WebFiling offline at 13:30 on 13 March and restored the service at 09:00 on Monday 16 March after independent testing. Companies House says the fault stemmed from an October 2025 system update and was not the result of a cyber-attack. (gov.uk)
According to Companies House, a logged-in user performing a specific sequence of actions could potentially have viewed information not normally public on the register: the day of a director’s or person with significant control’s date of birth, their residential address, and the company’s registered email address. It might also have been possible for an unauthorised filer to submit updates, such as accounts or director changes, without consent. (gov.uk)
The agency states the issue was not accessible to the general public and required login with an authorised code. Passwords were not compromised, identity verification data (such as passport information) was not accessed, and existing filed documents could not have been altered. Companies House reports no confirmed cases of unauthorised access or change and believes data could not have been extracted at scale. (gov.uk)
Companies are asked to review their registered details and filing history both in WebFiling and via the Find and update company information service. To aid monitoring, Companies House recommends using its free Follow service for instant alerts of new filings. Suspected errors or unexpected activity should be reported to enquiries@companieshouse.gov.uk, using ‘WebFiling issue’ in the subject and including the company name and number. (gov.uk)
The outbound messages are being sent to each company’s registered email address. Recipients cannot unsubscribe from communications to this address, which does not appear on the public register. The requirement to provide and maintain a registered email address was introduced under reforms taking effect from 4 March 2024. (gov.uk)
Policy Wire analysis: a nationwide email campaign increases the risk of spoofed messages. Company officers should verify that any message claiming to be from Companies House originates from a .gov.uk address and treat unexpected links with caution. Suspicious communications can be forwarded to phishing@companieshouse.gov.uk for assessment. (gov.uk)
Companies House has reported the incident to the Information Commissioner’s Office and the National Cyber Security Centre and will provide further updates as analysis continues. The agency says it will take firm action if it finds evidence of unauthorised access or changes. (gov.uk)
Third-party agents who receive the notice on behalf of clients are asked to pass it to company directors for all entities they represent. Where a company suspects that records were changed or personal data viewed without consent, Companies House asks that a complaint is raised and monitoring of the filing history continues. (gov.uk)
Policy Wire analysis: over the current 17–19 March window, company secretaries should set aside time to confirm directors’ and PSC details are correct, scan for unfamiliar filings dated 13–16 March, ensure the Follow alert is active for the company, and brief authorised filers to report anomalies promptly to Companies House. (gov.uk)