The reliability of the UK’s corporate register, the foundation of business trust and research, has been severely compromised.
For five months, a vulnerability in the Companies House WebFiling system allowed logged-in users to bypass authentication and access the private dashboards and personal details of any of the 5 million companies registered in the UK.
This isn’t just a technical glitch or a GDPR headache. If you are a business owner or director, you will know that this was a wide-open door to company hijacking.
While Companies House has stated there was no evidence of exploitation yet, the risk remains acute. Exposed data included non-public residential addresses and DOBs of directors, the ability to appoint or remove officers, and the potential to open fraudulent bank accounts in a company’s name.
This vulnerability was introduced in an October 2025 update and remained live for nearly half a year. It reinforces a truth we share with our clients: compliance does not equal resilience. Relying on a third-party government portal shouldn’t absolve a business of its duty to monitor its own corporate footprint. In an era where the 🔗Cyber Security and Resilience Bill 2026 is raising the bar for SMEs, the ability to protect your corporate identity is no longer an IT bonus, it is a competitive differentiator.
Helpful next steps to take to ensure your details are secure:
Conduct an Immediate Data Audit – The most pressing risk is unauthorised changes to your corporate record.
- Check your current officers
Verify that your list of directors and Persons with Significant Control (PSCs) is accurate. - Review Recent Filings
Look at the Filing History for any documents you don’t recognise, specifically Form AP01 (appointment of director), CH01 (change of details), or unauthorised annual accounts. - Verify Registered Office Address
Ensure your registered office hasn’t been changed to a “drop address” used by fraudsters to intercept official mail.
Secure Your Directors’ Personal Info – The flaw exposed non-public data, including full dates of birth, residential addresses, and personal email addresses of directors.
- Brief your Board
Inform all directors that their personal data may have been compromised. - Watch for Phishing
Expect a spike in highly targeted phishing emails or social engineering calls. Attackers may use the leaked DOBs and addresses to verify”their identity to your staff or banks. - Update Security Questions
If any directors use their Place of Birth or Home Address as security answers for banking or other services, they should change those security prompts immediately.
Finalise Identity Verification – As of early 2026, Companies House has been rolling out mandatory Identity Verification.
- If your directors haven’t completed their verification yet, do it now. Verified accounts are harder to spoof, and Companies House is prioritising the security of verified profiles during their ongoing investigation into the breach.
At Mondas, we help businesses build genuine operational resilience. If this incident has highlighted a gap in your risk management strategy, get in touch today.
This article was brought to you by Lance Nevill – Cyber Security Director. Lance leads our strategic vision in threat mitigation. 🔗 Connect on LinkedIn.
Content First Published 17/03/2026
