ICAEW.com works better with JavaScript enabled.

Companies House data glitch: how to respond

Author: ICAEW Insights

Published: 20 Mar 2026

Contents
The Companies House WebFiling service was suspended last weekend after a user found a potentially serious security flaw. Here’s what happened, and what can be learned from it.

On Thursday 12 March, John Hewitt – Director of Operations at business address services provider Ghost Mail – stumbled upon a major flaw in the web system of Companies House.

While logged in as a user, Hewitt accidentally bypassed an authentication step and landed in the content management dashboard of another director’s company – purely by clicking a few times on the ‘Back’ button.

Prefer to listen?

Allow SoundCloud audio

This audio player is provided by Soundcloud, a third-party service. We ask for your permission before anything is loaded as SoundCloud places cookies on our site. For more information on how we handle cookies, please see our privacy policy and cookies policy. To listen to this content on the website, please accept Statistics cookies and continue. Alternatively, you can access ICAEW podcasts on Spotify, Apple podcasts or YouTube.

Disclaimer

This audio file was produced by AI and has been adapted from the original article for audio purposes.

Hewitt immediately tried to contact Companies House and alert it to the flaw, but was unable to get through. Undaunted, he swiftly raised the issue with high-profile tax campaigner – and past ICAEW Hardman Lecture speaker – Dan Neidle.

As Neidle explains in a blog, he put Hewitt’s mis-clicks through a series of tests to see if he could replicate the result and, sure enough, he did – ruling out the other director’s computer setup as the root cause.

Neidle was able to see information about the other director that was not publicly viewable on the front end of the Companies House website, such as his full date of birth and personal email address.

Neidle contacted Companies House straight away, managed to get through and the government body quickly suspended its WebFiling service. It emerged that the flaw had existed for five months, stemming from a routine IT update.

No data was compromised

In a statement, Companies House assured users that, during the window of vulnerability:

  • no passwords were compromised,
  • no data used as part of its identity verification process – for example, passport information – was accessed, and
  • no existing filed documents, such as accounts or confirmation statements, could have been altered.

“We believe that this issue could not have been used to extract data in large volumes or to access records systematically,” it said.

It would have been relatively unlikely for a user to unintentionally cycle through those clicks in the same way that Hewitt did and get the same result, says ICAEW's Data Analytics and Tech Manager Bani Lamba.

“As such, I would also think it relatively unlikely that a large number of businesses had experienced tampering with their Companies House records,” she says.

Check your data

Michelle Giddings, Head of AML and Operations, Professional Standards, advises ICAEW firms and their clients to check their registered details and filing history to ensure that everything is correct.

She says: “If you identify something that is incorrect or doesn't look right, you can contact Companies House by emailing enquiries@companieshouse.gov.uk using ‘WebFiling issue’ in the subject heading.”

Lamba agrees: “Make sure that nothing has been changed or deleted without your authorisation or personal involvement. And if you do see anything that looks wrong or unexpected, flag it up immediately via the email address that Companies House has provided.”

How to test for flaws in a system

For ICAEW's Head of Data Analytics and Tech Ian Pay, there are wider lessons to be gleaned on the development and day-to-day running of public-facing IT services. “One rule of thumb is that when you are testing a system, use it like a child would,” he says. “It’s important to navigate in ways that are not intended, as well as those that are.”

He adds: “It is fortunate that the Companies House bug was somewhat niche. It should be a key testing requirement to establish whether one user has a potential ability to access confidential information relating to another user when logged in.”

Cyber security support

ICAEW has a host of resources addressing the latest cyber security issues and guidance on how to protect your business.

More support
Close up of woman's hand holding a mobile phone, with a lap top open in the background. On the phone is the image of a padlock
  1. Companies House data glitch: how to respond
  2. 2026: how to manage cyber and AI risk
  3. Cyber: the dangers of agents and vibe coding
  4. How to identify and deal with fake invoices
  5. Can you spot these signs of fraud?
  1. UK SRS – what’s in it, and the FCA consultation
  2. Corporate reporting is changing, MTD on the way
  3. MTD Live: are you (and HMRC) ready for MTD?
  4. How to get to the C-suite
  5. Finance Bill changes for individuals and businesses

Further resources

Resources
Laptop and tablet on a desk displaying a lock icon with the words “Privacy Policy,” while a person holds a smartphone showing a security-related graphic.
Cyber security

Our cyber security resource centre provides a focal point for ICAEW members looking for support in managing cyber risks.

Browse resources
ICAEW Community
Data visualisation on a smartphone
Data Analytics

Helping finance professionals develop the advanced data analytics and visualisation skills needed to succeed in this insight-driven era.

Find out more
  • Free and open to everyone
ICAEW support
A person holding a tablet device displaying various graphs
Training and events

Browse upcoming and on-demand ICAEW events and webinars focused on making the most of the latest technologies.

Events and webinars CPD courses and more
Open AddCPD icon