Companies House breach exposes email addresses of 5.6 million UK companies

Companies House has confirmed a significant security breach that potentially exposed the registered email addresses of every UK company on its register - affecting 5,645,362 companies in total^[2]. The vulnerability, discovered on 13 March 2026^[1], has raised concerns about targeted phishing attacks across the UK's business community.

Scale of the breach

According to Andy King, Chief Executive of Companies House, the security issue meant that "a logged-in user of our WebFiling service could potentially access and change some elements of another company's details without their consent after performing a specific set of actions." The statement, published on 18 March 2026, confirmed that company email addresses were among the data that may have been visible to unauthorised users.

The breach affects all companies registered in the UK, with Companies House confirming it is "contacting every company's registered email address between Tuesday 17 March and Thursday 19 March" about the incident. This represents the entire UK company register of 5,645,362 entities, of which 5,516,634 are currently active^[2].

Companies House shut down its WebFiling service at 1:30pm on Friday 13 March^[1] while investigating the issue. The service was restored at 9am on Monday 16 March^[1] after independent testing.

Sectors most at risk

Analysis of Companies House data reveals which business sectors have the highest concentration of exposed email addresses. The property sector dominates the list, with 447,770 companies involved in "other letting and operating of own or leased real estate"^[3] now potentially vulnerable to targeted attacks.

Management consultancies represent the second-largest exposed group, with 278,051 companies classified under "management consultancy activities other than financial management"^[5] affected. The third most-exposed sector comprises 277,121 companies engaged in "buying and selling of own real estate".

Other significantly affected sectors include:

• Business support services: 228,396 companies
• Online retail: 209,681 companies
• IT consultancy: 170,370 companies
• Property management: 138,618 companies engaged in residents property management
• Dormant companies: 119,052 entities

The concentration of affected companies in high-value sectors like real estate and professional services raises particular concerns about targeted fraud attempts.

Nature of the vulnerability

Companies House has traced the vulnerability to an update made to its WebFiling systems in October 2025^[1]. The breach was "not accessible to the general public," with King emphasising that "only users with an authorised code and logged in to the service could have performed this action."

Beyond email addresses, the exposed data included "dates of birth, residential addresses" of company directors. The statement also revealed it "may have been possible for unauthorised filings - such as accounts or changes of director - to have been made on another company's record."

However, Companies House stressed several limitations to the breach. The organisation stated: "We believe that this issue could not have been used to extract data in large volumes or to access records systematically. Any access would have been limited to individual company records, viewed one at a time by a registered WebFiling user."

Crucially, passwords were not compromised, and "no data used as part of our identity verification process, such as passport information, was accessed." Additionally, existing filed documents could not have been altered.

Regulatory response and implications

Companies House has "proactively reported this incident to the Information Commissioner's Office (ICO) and the National Cyber Security Centre (NCSC)." The organisation is "actively analysing our data to identify any anomalies" as part of its investigation.

The timing of the breach notification process - with emails being sent to all registered companies between 17 and 19 March 2026 - itself creates a window of opportunity for fraudsters. Companies are being warned that legitimate emails will come from "companies.house@notifications.service.gov.uk," though this information could be exploited by criminals crafting convincing phishing emails.

The incident highlights the centralised nature of UK company data and the systemic risks when a single point of failure affects millions of businesses simultaneously. With 3,600 new companies incorporated in the past seven days alone, the register continues to grow even as the full impact of this breach is assessed.

Looking ahead

The breach represents one of the largest exposures of UK business contact information to date. While Companies House maintains that large-scale data extraction was not possible, the exposure of email addresses for 5.6 million companies creates a substantial attack surface for cybercriminals.

Property companies, management consultancies, and IT firms - representing over 1 million affected entities - may need to implement additional email security measures. The incident also raises questions about the security of centralised government databases and whether additional authentication measures are needed for services that handle sensitive corporate information.

As Companies House continues its investigation and analysis of potential unauthorised access, UK businesses face an extended period of heightened vigilance against targeted phishing attempts using their exposed contact details.