Cybersecurity and other threats raise questions about the extent to which government and private bodies can gather potentially sensitive financial and other information about individuals, creating tensions between privacy on one hand, and calls for transparency, on the other.

The Information Commissioner’s Office (ICO) in the UK has told WealthBriefing that it is probing a recent security lapse at Companies House – the database used to log details of registered companies in the country.

On Friday 13 March, Companies House was made aware of a security issue which meant that a logged-in user of its WebFiling service could potentially access and change some elements of another company’s details without their consent after performing a specific set of actions, the organisation said in a 16 March statement. 

The incident came at a time when cybersecurity threats pose a challenge to public bodies responsible for guarding details of business owners and taxpayers. It also casts light on the scope of GDPR regulations and the ways they can apply differently to private and state sector organisations. 

"We can confirm we have contacted Companies House and are assessing the information provided,” a spokesperson for ICO told this news service when asked about the matter on 23 March. The ICO did not elaborate.

The UK government must act severely to show it takes such matters seriously, Filippo Noseda, partner at Mishcon de Reya, said on his LinkedIn page. Noseda has also talked to this news service regularly about the potential collision between data protection requirements and government collection of data on individuals’ financial lives.

“Unless the ICO intervenes with full force, it will be indicative of the failure of UK government in the field of data protection in the UK,” Noseda said.

Noseda said he has filed a GDPR compliant with the ICO. “I'm not holding my breath, as the ICO has effectively abdicated its regulatory mission when it comes to governments. However, another example of ICO inaction would expose the moribund state of data protection in the UK, so it's a cause worth pursuing.”

In its statement, the ICO said it had closed WebFiling at 1:30pm on Friday 13 March while it investigated and resolved the issue. The service was independently tested and returned online from 9:00 am on Monday 16 March.

“Our investigation has established that specific data from individual companies not normally published on the Companies House register may have been visible to other logged-in WebFiling users. This includes dates of birth, residential addresses and company email addresses. It may also have been possible for unauthorised filings – such as accounts or changes of director – to have been made on another company’s record,” it said. 

Companies House said that passwords were not compromised; no data used as part of its identity verification process, such as passport information, was accessed, and no existing filed documents, such as accounts or confirmation statements, could have been altered.

“We believe that this issue could not have been used to extract data in large volumes or to access records systematically. Any access would have been limited to individual company records, viewed one at a time by a registered WebFiling user,” it said. 

The organisation said the breach happened when it updated WebFiling systems in October 2025.

Companies House said it “proactively reported this incident to the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC)”.

The organisation did not describe the incident as a data breach, typically defined as "the unauthorized exposure, disclosure, or loss of personal information."  

Public bodies around the world have been affected by incidents, some dramatic, as in the case that took place from 2018 through 2020, when Charles Littlejohn stole tax return information for thousands of high net worth persons and related entities and disclosed it to ProPublica and other entities. In April 2024, the Internal Revenue Service began notifying thousands of taxpayers that their tax return information was subject to a data breach.