UK Watchdog Probes Companies House Web Filing Lapse

Tom Burroughes

2 April 2026

The (ICO) in the UK has told WealthBriefing that it is probing a recent security lapse at , said on his LinkedIn page. Noseda has also talked to this news service regularly about the potential collision between data protection requirements and government collection of data on individuals’ financial lives.

“Unless the ICO intervenes with full force, it will be indicative of the failure of UK government in the field of data protection in the UK,” Noseda said.

Noseda said he has filed a GDPR compliant with the ICO. “I'm not holding my breath, as the ICO has effectively abdicated its regulatory mission when it comes to governments. However, another example of ICO inaction would expose the moribund state of data protection in the UK, so it's a cause worth pursuing.”

In its statement, the ICO said it had closed WebFiling at 1:30pm on Friday 13 March while it investigated and resolved the issue. The service was independently tested and returned online from 9:00 am on Monday 16 March.

“Our investigation has established that specific data from individual companies not normally published on the Companies House register may have been visible to other logged-in WebFiling users. This includes dates of birth, residential addresses and company email addresses. It may also have been possible for unauthorised filings – such as accounts or changes of director – to have been made on another company’s record,” it said.

Companies House said that passwords were not compromised; no data used as part of its identity verification process, such as passport information, was accessed, and no existing filed documents, such as accounts or confirmation statements, could have been altered.

“We believe that this issue could not have been used to extract data in large volumes or to access records systematically. Any access would have been limited to individual company records, viewed one at a time by a registered WebFiling user,” it said.

The organisation said the breach happened when it updated WebFiling systems in October 2025.

Companies House said it “proactively reported this incident to the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC)”.

The organisation did not describe the incident as a data breach, typically defined as "the unauthorized exposure, disclosure, or loss of personal information."

Public bodies around the world have been affected by incidents, some dramatic, as in the case that took place from 2018 through 2020, when Charles Littlejohn stole tax return information for thousands of high net worth persons and related entities and disclosed it to ProPublica and other entities. In April 2024, the began notifying thousands of taxpayers that their tax return information was subject to a data breach.