Companies House have now admitted that a major security flaw in their WebFiling software has occurred. This has resulted in the confidential details of more than five million companies being put at risk. A major flaw in their software has meant that any user of the site was able to view and potentially amend items for other companies, including director names and addresses, and potentially upload fraudulent accounts.
What happened?
The news of the Companies House (CH) security failure broke on Monday 16 March 2026, when they announced that Webfilings had been closed, to enable them to investigate and resolve the problem.
According to CH the software vulnerability occurred in early October 2025, when it introduced a major update for its WebFiling system. It is not known whether or not Companies House will be able to identify which company dashboards were accessed, although it confirmed it was actively investigating. It also claimed that it had not received any reports of changes on their site that had not been authorised by the company concerned.
Back from the future
The software flaw did not require sophisticated technology or computer hacking skills to exploit. Anyone could simply log into Companies House using their own details and access their own company’s dashboard. From there, they had the option to “file for another company”, where they could enter the company number for any of the five million companies registered with Companies House.
The system then requested an authentication code, which the user didn’t have access to, but by pressing the ‘back key’ on the dashboard, ‘abracadabra’, they could access the other company without needing to enter a code. This enabled them to access personal information about the company and its directors.
Not only did it enable any rogue users to also access information that is normally hidden from public access, even more worryingly they could also change details such as the company’s registered address, details of shareholders and potentially file fraudulent accounts.
The software used is known as, ‘The One Login ‘ and when it was introduced it was heralded as the future of safe interactive online software, though it seems to me that rather than taking a step into the future our wonderful government has taken a giant step backwards.
When was the security flaw discovered?
Well, the first thing you should know was that CH were oblivious to the problem for almost six months. It was only when Jason Hewitt, Operations Director at Ghost Mail Ltd, discovered the vulnerability and informed them of the serious software flaw, that they became aware. When he contacted Companies House, he did not receive a response, so he decided to approach Dan Neidle to investigate the potentially serious issue.
Dan Neidle of Tax Policy Associates, posted a video highlighting the bug and demonstrated how he was able to view the private Companies House dashboard of ClarityDW Ltd, a digital communications consultancy owned by Jonathan Phillips (who had given him permission to do this).
He then viewed Phillips’s company dashboard and modified his registered address. The change of address generated a confirmation number, which was sent to his email, but critically not the email address registered for the company whose details were changed.
Dan Neidle confirmed that it appeared highly likely that any edit could be made to a company, including filing accounts, but added that this was not tested because of concerns it could be a criminal offence to do so. (Using a computer to access data without permission, even without malicious intent, is an offence under the Computer Misuse Act and is punishable by up to two years in prison).
System shutdown
Dan Neidle contacted Andy King, CEO at Companies House about the security flaw, who responded by immediately shutting down the e-filing system. He then issued a statement offering an apology for the “concern and inconvenience” to the companies and individuals who rely on its services. “We have taken swift action to secure and restore our service and are committed to doing everything in our power to support those affected and to making sure that our services continue to merit the trust placed in them.”
King then said that CH had reported itself to the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC) under the General Data Protection Regulations (GDPR). He added that they had now advised all companies to check their registered details and filing history to make sure everything appears correct and if a company has a concern, it should raise a complaint with CH.
Major flaws in the One Login software
This major security flaw is merely the latest in a series of IT failures that have dogged the UK’s gov.uk One Login digital identity system. One Login was designed to replace Government Gateway accounts as a single identity check and login system to access all central government services, with the eventual goal of all taxpayers, companies and agents accessing its services through One Login.
Shortly after the software was introduced in July 2022 a report based on information from a whistleblower that there were critical structural flaws in the software, raised concerns that One Login lacked “basic governance and risk management processes”. The report flagged up an astounding number of over half a million system vulnerabilities, with thousands rated as “critical” or “high” severity.
To make matters worse, even more alarmingly, just days before the major update last October, CH told all users of One Login, to sign in to their Companies House WebFiling account and verify their identity following a string of bogus company names and directors appearing on the register.
Accountant’s view
The software failure highlighted by Dan Neidle is just the latest in a series of IT failures that have dogged the UK’s One Login digital identity system and is just another example of new software introduced by Her Majesty’s Government, not being fit for purpose.
One of the most shocking aspects of this failure by Companies House is that, whilst the software blunder occurred in early October 2025, they did not notice for six months and only realised that they had a major issue after Dan Neidle contacted them. Unfortunately, the full ramifications of this major cock-up will not emerge until the millions of users of One Login, next log in to their online CH accounts.
So, watch this space!
