Companies House Under Scrutiny: Five-Month WebFiling Lapse Spurs ICO Probe and Calls for Modernisation

The Information Commissioner’s Office has opened a probe into a WebFiling security lapse that affected companies house users after an October system update. The flaw allowed a logged-in user to potentially view and, in some circumstances, change elements of another company’s record by following a specific sequence of actions. The registry closed the service, then reopened it following independent testing; parliamentary updates and executive statements now frame a debate about legacy IT and regulatory oversight.

Why this matters right now

The incident matters because the defect may have exposed sensitive details for individual company records over a period described as five months. The WebFiling service was closed at 1: 30pm ET on Friday 13 March and returned online at 9: 00am ET on Monday 16 March after independent testing. Officials have said that information not normally published on the public register—dates of birth, residential addresses and company email addresses—may have been visible to other logged-in users, and that it may have been possible for unauthorised filings to be submitted on another company’s record. All of the UK’s five million registered businesses were advised to check their online details and submissions after services resumed.

Companies House systems and the WebFiling defect

Initial findings provided to parliamentary oversight note an application defect introduced by an October update as the likely cause. The specific user pathway involved pressing the browser back button multiple times to reach another company’s record while logged in. Investigations by the registry say that passwords and identity-verification materials such as passport information were not accessed, and that existing filed documents could not have been altered. The organisation has maintained that large-scale systematic extraction was unlikely and that any access would have been limited to individual company records, viewed one at a time by a registered user.

Executives have said monitoring systems designed to detect cyberattacks did not trigger because the problem stemmed from a functional defect rather than a hostile intrusion. In a written update to a parliamentary committee, Andy King, chief executive, Companies House, wrote: “we are undertaking extensive analysis of system records to identify any anomalous activity, [and] this has yet to identify any unauthorised changes, but investigations are ongoing”. He added that if unauthorised updates are found, the registry will take “firm action”.

Expert perspectives and wider impact

The regulatory and legal stakes have been voiced by external counsel and privacy advocates as well as registry leadership. Filippo Noseda, partner at Mishcon de Reya, has argued that stronger intervention is necessary, writing that “Unless the ICO intervenes with full force, it will be indicative of the failure of UK government in the field of data protection in the UK. ” He has also filed a GDPR complaint with the regulator.

King has framed the episode as a catalyst for structural change, describing steps to strengthen operational controls and governance. He said the organisation is conducting a “detailed review [concerning] lessons learned of how the WebFiling defect occurred and what processes need to improve as a result, ” and that it is “developing a case for investment to modernise our architecture and reduce risks associated with legacy applications. ” The chief executive also outlined moves to bolster security operations and to treat the incident as part of a broader plan to protect companies and citizens and to prevent economic crime from entering the system.

Practical fallout crosses regulatory, legal and commercial lines. The ICO probe means enforcement options remain on the table, while recommendations arising from the registry’s review could shape funding requests from government and future governance of public registers. The combination of a technical defect, the potential visibility of personal details, and the advisory issued to millions of registrants foregrounds tensions between public transparency and safeguards for individual data.

As investigations continue and system logs are analysed, the central question becomes whether the episode will produce a short-term containment exercise or a sustained programme of investment and oversight that addresses ageing infrastructure and detection gaps. Will companies house emerge with clearer technical defences and stronger regulatory assurance, or will the episode be judged a missed opportunity to modernise a critical public registry?