For years, corporate security was treated by many small business owners as a problem exclusive to tech giants and multinational banks. A standard password and a basic firewall felt like enough protection for a typical British SME.

However, the major cyber security breach at Companies House’s WebFiling portal on 13 March 2026 shattered that complacency. The incident, which saw unauthorized actors gain temporary access to corporate filing accounts, serves as a stark reminder of how vulnerable the corporate registry ecosystem can be—and why data security must now be treated as a core financial discipline.

At CoreAcc Accountants, we believe a post-mortem of this event is essential for every director. Understanding how the breach happened is the first step toward fortifying your own business defenses.

1. Anatomy of the Breach: What Happened?

On March 13th, a sophisticated credential-stuffing attack targeted the legacy WebFiling infrastructure. Automated bots used vast databases of leaked passwords from historical, unrelated corporate data breaches to systematically guess login combinations on the Companies House portal.

Because the legacy WebFiling system did not universally mandate Multi-Factor Authentication (MFA) for older accounts, attackers successfully compromised thousands of active company profiles. Once inside, they didn't steal money; they did something far more dangerous—they altered corporate data, changed registered office addresses, and submitted fraudulent director appointment forms.

2. The Commercial Fallout for SMEs

The immediate risk of a corporate registry breach isn't a drained bank account; it is corporate identity theft. By changing a company’s registered office to a drop-shipping address or a vacant building, fraudsters can:

  • Apply for corporate credit cards and merchant loans in your business’s name.
  • Order high-value goods from suppliers on 30-day credit terms, leaving you with the bill.
  • Intercept sensitive financial correspondence, including HMRC VAT and Corporation Tax notices.

For the affected companies, the administrative nightmare of reversing a fraudulent filing at Companies House can take weeks, during which time their credit rating can be severely damaged.

3. The Regulatory Response: The Death of the Password

The March 13th breach has drastically accelerated the timeline for the Economic Crime and Corporate Transparency Act (ECCTA) security rollouts. Companies House has responded with immediate, unyielding policy shifts that are now active:

  • Mandatory Multi-Factor Authentication (MFA): As of May 2026, you can no longer log into Companies House using just a password. MFA via an authenticator app or SMS is now strictly required for every single login.
  • The Phase-Out of WebFiling: The legacy WebFiling portal is being rapidly decommissioned in favour of the more secure Find and Update Company Information service and direct API software filing.

4. Immediate Steps Every Director Must Take

If you haven't reviewed your corporate filing security since March, your business remains at risk. We recommend taking three immediate actions:

  • Audit Your Verification Codes: Ensure your company’s unique 6-digit Companies House Authentication Code is kept completely confidential. It should never be stored in an unencrypted email or shared with unauthorized staff.
  • Activate PROOF (Protected Online Filing): Register your company for HMRC and Companies House "PROOF" schemes. This ensures that Companies House will reject any paper filing forms and will only accept secure electronic submissions.
  • Consolidate Third-Party Access: Review who has the authority to file on your behalf. Remove old employees, former advisors, and outdated formation software permissions.

How CoreAcc Accountants Can Help

Cyber security and corporate accounting are no longer separate departments. At CoreAcc Accountants, we treat the protection of your corporate identity as part of our fundamental compliance service. We protect our clients by providing:

  • Secure ACSP Filing: As an Authorised Corporate Service Provider (ACSP), we submit all of your corporate changes through our secure, encrypted API link directly to Companies House, bypassing the vulnerable public web portals entirely.
  • Authentication Management: We can securely manage and monitor your company's Authentication Codes, ensuring they are only deployed via verified, multi-factor-protected accounting software.
  • Identity Verification Alignment: We handle the transition to the new mandatory director identity verification rules, ensuring your board is fully verified and locked down against external impersonation.
  • Proactive Alert Monitoring: We set up real-time digital monitoring on your Companies House profile, alerting you the exact second any change or filing is attempted on your record.

Contact CoreAcc Accountants today to run a security audit on your corporate filing credentials and ensure your business is fully protected against identity fraud.