TL;DR: The UK's Companies House left a security flaw open for five months that exposed home addresses, dates of birth, and email addresses for 5 million registered companies' directors. The vulnerability was introduced in October 2025 and discovered on March 13, 2026. The bypass method? Log into your own account, try to file for another company, hit your browser's back button four times, and you're in their dashboard. Companies House CEO Andy King insists the flaw "could not have been used to extract data in large volumes." He may want to tell that to anyone who has used a web scraper before.
The Four-Click Hack
John Hewitt at Ghost Mail, a corporate services provider, discovered the flaw on March 13, 2026. The exploit was embarrassingly simple [1][2]:
- Log into your own Companies House WebFiling account
- Attempt to file documents for a different company
- Get the authentication prompt
- Press your browser's back button four times
- Congratulations, you're now in their dashboard
No technical skills required. No hacking tools. Just your browser's back button and a willingness to try.
The vulnerability had been live since October 2025 when Companies House updated their WebFiling system. For five months, anyone who stumbled onto this could access other companies' sensitive data.
What Got Exposed
The WebFiling dashboard contains information that's specifically protected from public view [1][2][3]:
- Residential addresses of company directors (not the service addresses shown publicly)
- Dates of birth (only month/year is public; full dates were exposed)
- Company email addresses used for official filings
- Filing capability (attackers could potentially submit fraudulent filings)
Companies House says passwords and passport data weren't affected, and filed documents couldn't be changed. But the real danger isn't document tampering. It's the identity theft goldmine of combining directors' home addresses with their dates of birth.
The Scale
The UK has approximately 5 million registered companies with active directors. Every one of them potentially had their private data exposed for five months [4].
That includes sole traders running small businesses from home, with their residential addresses now potentially compromised. It includes directors of major corporations. It includes anyone whose address is supposed to be protected from public disclosure for safety reasons.
Companies House requires directors to provide residential addresses, but only displays service addresses publicly. This vulnerability exposed the actual home addresses that are supposed to stay private.
"It Couldn't Extract Data in Large Volumes"
Companies House CEO Andy King offered this reassurance in an official statement: "We believe that this issue could not have been used to extract data in large volumes or to access records systematically" [2].
That's a bold claim for a bug that requires nothing more than a browser and patience. Anyone with basic scripting knowledge could have automated this. Log in, hit the filing page, simulate four back button presses, scrape the dashboard, repeat for the next company number.
Companies House says they've found no evidence of systematic exploitation. That's either good news, or it means they can't detect it.
The Response
Once Hewitt reported the flaw, Companies House shut down WebFiling at 1:30pm on Friday, March 13. The service came back online Monday morning, March 16, after what they describe as independent security testing [2].
Companies House reported the incident to both the Information Commissioner's Office (ICO) and the National Cyber Security Centre (NCSC). They've emailed all registered companies advising them to check their registered details and filing history [2].
Dan Neidle of Tax Policy Associates publicized the vulnerability after the fix went live, drawing attention to just how simple the exploit was [5].
What This Means for UK Directors
If you're a director of a UK company, assume your residential address and date of birth may have been accessed during the five-month window.
Steps to take now:
- Log into WebFiling and check your company's filing history for any submissions you didn't make
- Review your registered details to ensure nothing has been changed
- Contact Companies House at [email protected] with "WebFiling issue" in the subject line if anything looks wrong
- Watch for targeted scams (attackers with your home address and birthday can craft convincing phishing attempts)
- Consider credit monitoring (the combination of name, address, and date of birth is exactly what identity thieves need)
The Pattern Continues
This follows a familiar script: government system gets updated, security flaw introduced, months pass before discovery, officials downplay the risk.
The UK government has pushed hard for Companies House to verify director identities and crack down on fraud. But they can't protect that identity data from a bug that anyone with a browser could exploit.
The ICO investigation is ongoing. Whether there will be any consequences for five months of exposed private data remains to be seen. The track record suggests a sternly worded statement and a promise to "learn lessons."
In the meantime, 5 million directors' home addresses may be circulating somewhere. Companies House says there's no evidence. That's not the same as saying it didn't happen.
References
- Help Net Security - "Millions of UK firms on alert after Companies House data exposure" (March 17, 2026)
- GOV.UK - "Update on Companies House WebFiling security issue" (March 2026)
- UpGuard - "Gov.Uk Suffers Data Leak" (March 20, 2026)
- GB News - "'Astonishing' Companies House data breach exposed millions of director's private information" (March 2026)
- Tax Policy Associates - "Companies House vulnerability enabled company hijacking" (March 13, 2026)