Companies House Security Breach Exposes All 5.6 Million UK Companies to Data Risk

A security breach at Companies House has exposed all 5.6 million UK registered companies to potential data compromise, according to an official statement^[1] released by the registrar's Chief Executive Andy King on 16 March 2026.

The vulnerability in the WebFiling service meant that logged-in users could potentially access and modify other companies' details without authorisation after performing specific actions. The breach, which was discovered on Friday 13 March, prompted an immediate shutdown of the service at 1:30pm^[1].

Scale of Exposure: Every UK Company at Risk

The breach affects all 5,651,279 companies on the UK register^[2], making it one of the most comprehensive corporate data exposures in UK history. Of these, 5,520,418 are active companies^[2], meaning the vast majority of affected entities are operational businesses rather than dormant shells.

Companies House has confirmed it will be "emailing every company's registered email address to explain how to check their details and what steps to take if they have any concerns"^[1]. The notification process^[3] began on Tuesday 17 March and was scheduled to complete by Thursday 19 March 2026.

What Data Was Compromised

The investigation revealed that "specific data from individual companies not normally published on the Companies House register may have been visible to other logged-in WebFiling users"^[1]. This exposed information includes:

- Dates of birth
- Residential addresses
- Company email addresses

Perhaps more concerning, the breach "may also have been possible for unauthorised filings - such as accounts or changes of director - to have been made on another company's record"^[1]. This raises the possibility of fraudulent alterations to company records during the exposure period.

Companies House emphasised that passwords were not compromised and no identity verification data, such as passport information, was accessed^[1]. The organisation also stated that "existing filed documents, such as accounts or confirmation statements could not have been altered"^[1].

Most Affected Sectors: Real Estate and Professional Services Lead

Analysis of the CompanyPulse company register^[2] reveals that real estate companies face the highest exposure, with 448,062 companies classified under "Other letting and operating of own or leased real estate" representing the largest single sector affected.

Professional services firms also face significant exposure:

- Management consultancy activities: 278,287 companies^[2]
- Business support services: 228,506 companies^[2]
- Information technology consultancy: 170,513 companies^[2]

The retail sector, particularly e-commerce businesses, represents another major exposure category with 209,980 companies operating in "Retail sale via mail order houses or via Internet"^[2]. These digital-first businesses may be particularly vulnerable to the consequences of email address exposure.

Timeline and System Vulnerability

Companies House's investigation "indicates that this issue was introduced when we updated our WebFiling systems in October 2025"^[1]. This means the vulnerability may have existed for approximately five months before detection.

The registrar noted that "this issue could not have been used to extract data in large volumes or to access records systematically"^[1]. Access was limited to individual company records viewed one at a time by registered WebFiling users. However, this limitation provides little comfort to companies whose data may have been accessed during the exposure period.

The service was restored on Monday 16 March at 9am after being "independently tested"^[1], though Companies House has not disclosed the identity of the testing organisation.

Regulatory Response and Next Steps

Companies House has "proactively reported this incident to the Information Commissioner's Office (ICO) and the National Cyber Security Centre (NCSC)"^[1]. The involvement of both data protection and cybersecurity authorities suggests the breach may have serious regulatory implications.

The incident highlights vulnerabilities in the UK's company registration infrastructure at a time when businesses face increasing cyber threats. With 7,315 new companies incorporated in just the past seven days^[2], the timing of the breach could hardly be worse for Britain's entrepreneurial ecosystem.

For the 119,084 dormant companies^[2] on the register, the exposure of email addresses may reactivate long-inactive communication channels, potentially opening new vectors for phishing attacks. Active companies face the more immediate challenge of verifying their records haven't been tampered with and securing any exposed director information.

As Companies House continues its investigation and data analysis, the full impact of this breach remains to be determined. What is clear is that every UK company - from the smallest startup to the largest corporation - must now review their Companies House records and consider the implications of this unprecedented exposure.