The government's official company registry, Companies House, has publicly acknowledged a significant security failure that remained active for at least six months. This vulnerability permitted users to view and alter details of other companies without obtaining proper authorization or consent.
Timeline of the Security Incident
An internal investigation conducted by Companies House over the weekend revealed that the security flaw was introduced during a system update in October 2025. The registry was first alerted to the issue on Friday, March 13, 2026, prompting immediate action to address the vulnerability.
Regulatory Notifications and Response
Companies House has formally reported the incident to both the Information Commissioner's Office and the National Cyber Security Centre. These notifications trigger potential investigations into data protection compliance and cyber security protocols at the government agency.
Despite the serious nature of the vulnerability, Companies House has emphasized that no password information was compromised during the six-month period. Additionally, the registry stated that sensitive identity verification data, including passport information and other personal identification documents, remained secure and was not accessed through this security flaw.
Official Statement from Leadership
Andy King, Chief Executive of Companies House, issued a formal apology regarding the incident. "I recognise that this incident will have caused concern and inconvenience to many of the companies and individuals who rely on our services. I am sorry for that," King stated.
He further emphasized the organization's commitment to data protection, saying, "Companies House takes its responsibility to protect the data entrusted to us extremely seriously. We have taken swift action to secure and restore our service, and are committed to doing everything in our power to support those affected and to making sure that our services continue to merit the trust placed in them."
Implications for Business Community
The security vulnerability represents a significant concern for the millions of companies registered with the government agency. Companies House serves as the official registry for all limited companies in the United Kingdom, maintaining essential corporate information that includes:
- Company directors and secretaries
- Registered office addresses
- Annual accounts and confirmation statements
- Shareholder information
- Company charges and mortgages
The ability for unauthorized users to potentially alter this information without detection for six months raises serious questions about data integrity and corporate security. Business organizations and cybersecurity experts are likely to scrutinize the incident closely as Companies House works to restore confidence in its digital systems.
