The Back Button That Broke Companies House: How Five Million Directors Had Their Home Addresses Exposed for Five Months
Press the back button. That is it. That is the entire technical exploit.
No sophisticated hacking tools. No zero-day vulnerability. No dark web marketplace. One registered Companies House user, one company number they wanted to target, one authentication prompt they couldn't pass, and four presses of the back button on their browser. At that point, they were inside the private dashboard of any of the five million companies registered at Companies House.
This was live from October 2025 until 13 March 2026. Five months.
If you are a company director in the UK, the personal data used to verify your identity, open accounts in your name, and reroute your business banking was potentially accessible to any logged-in WebFiling user for the better part of half a year. And you were never told.
What Actually Happened
The vulnerability was discovered on 12 March by John Hewitt at Ghost Mail, a corporate services provider. He noticed that the workflow for filing on behalf of another company, which had been updated as part of the integration with the government's One Login digital identity system, contained a fundamental access control flaw.
The exploit worked like this: log into your own Companies House WebFiling account. Navigate to your own company dashboard. Select the option to file for another company. Enter any UK company number. At the authentication prompt, where you would normally need that company's authentication code, press the back button four times. Instead of returning to your own dashboard, the system returned the dashboard of the company you had just tried to access. Their dashboard. Their private data.
Hewitt tried to contact Companies House directly. He didn't get a response. He then contacted Dan Neidle at Tax Policy Associates, who verified the vulnerability independently, demonstrated it on video, and then alerted Companies House himself. Companies House responded quickly: WebFiling was shut down at 1:30pm on Friday 13 March. The service was independently tested and restored at 9:00am on Monday 16 March.
Companies House CEO Andy King published an official statement on 16 March confirming the scope.
What Was Exposed
According to the official Companies House statement from CEO Andy King, the following data was potentially accessible to any logged-in WebFiling user across all five million registered companies:
Dates of birth of directors. Not published on the public register. Specifically withheld for fraud prevention reasons.
Residential home addresses of directors. Again, not on the public register. Held by Companies House for regulatory purposes only.
Company email addresses. The private email used for company notifications and official communications.
It may also have been possible to submit unauthorised filings: changes of director, changes of address, and potentially accounts.
Here is what was not affected, per the official statement: passwords were not compromised; no identity verification data such as passport information was accessed; and existing filed documents could not have been altered.
Companies House has also stated that the flaw could not have been used to extract data in bulk. Any access would have been limited to individual company records, one at a time, by a registered WebFiling user.
That caveat deserves scrutiny. Five months is a long time. Research suggests that discovered vulnerabilities are on average exploited within 15 days. The simplicity of this exploit, combined with the fact that Companies House is routinely used for fraudulent purposes, means the window for criminal discovery was substantial. And a sophisticated criminal group would not hoover up five million records at once. They would pick targets carefully, limit access to a few hundred companies a week, and stay well below any alert threshold.
The GDPR Situation
This is not just a security incident. This is a personal data breach on a substantial scale, covering some of the most sensitive categories of personal information: home addresses and dates of birth of millions of individuals.
Under UK GDPR, Companies House was required to notify the Information Commissioner's Office within 72 hours of becoming aware of the breach. The official statement confirms they have done this. The ICO has also been notified, along with the National Cyber Security Centre.
Given the nature of the data and the potential risk to individuals, this is what the ICO would classify as a high-risk breach. That creates an obligation not just to notify the regulator, but to notify affected individuals. With five million companies in scope and no way yet to determine who was accessed, Companies House faces a practically impossible notification task.
Their stated approach is to email every company's registered email address with guidance. Which brings us to the part that should make your stomach drop.
The Notification Problem
If you are a company director whose data was accessed, and an attacker used the vulnerability to change your registered email address, Companies House will be sending the notification email to the attacker. Not to you.
This is not speculation. Tax Policy Associates confirmed during their investigation that when a change was submitted using the exploit, the confirmation email went to the person who initiated the filing change. Not the company whose details were changed. The affected company received no warning whatsoever.
So the government's plan to notify affected companies by email has a fundamental problem: if your email was changed by an attacker, you will not receive the warning.
This is why every company director in the UK needs to check their Companies House record today. Do not wait for an email that may never arrive, or may have been redirected.
What This Means for SMB Directors Specifically
Security experts who reviewed this vulnerability noted that directors of small and medium-sized companies are at higher risk than directors of large organisations. The reason is straightforward: large companies have multi-person authorisation controls. One person cannot alone authorise a large bank transfer, change company banking details, or open a credit facility.
At an SMB, that is often not the case. A sole director or a small leadership team can act unilaterally. Which means the data exposed by this breach, home addresses, dates of birth, email addresses, is precisely what a fraudster needs to impersonate a director and initiate financial transactions.
The specific attack scenarios security experts have identified include:
Targeted identity fraud: Using the exposed personal data to pass identity checks with banks or other financial institutions, particularly targeting directors of small companies with clean credit histories and no automated fraud controls.
Fraudulent borrowing: Modifying company details at Companies House so that criminals can open bank accounts and borrow in the name of legitimate businesses. Carried out carefully, on a small scale, this could run for months before detection.
Spear phishing: Using home addresses and personal email addresses to craft highly convincing phishing attacks targeting directors who are already Companies House users. The data gives attackers enough personal detail to bypass scepticism.
What You Need to Do Right Now
1. Check your Companies House record today.
Log in to Companies House directly at find-and-update.company-information.service.gov.uk and verify every piece of registered information. Registered office address. Director home addresses. Company email address. Director details. Check your filing history for any changes you did not make.
If anything is wrong, raise a complaint through the Companies House complaints procedure and include specific evidence of what has changed. Do not phone. Get it in writing.
2. Change your Companies House authentication code.
Your company authentication code is the six-character code used to authorise filings. Whether or not you believe your company was accessed, it is sensible to change it. If an attacker obtained a copy, changing the lock eliminates that risk.
3. Alert your accountant or filing agent.
If you use a third party to manage your Companies House filings, make sure they are aware and have checked your records on your behalf. They should be doing this proactively, but confirm it has been done.
4. Be alert to follow-on fraud attempts.
In the weeks and months ahead, be suspicious of unexpected correspondence claiming to be from Companies House, HMRC, or financial institutions. Be particularly alert to requests that reference your Companies House details. Treat any unsolicited contact that demonstrates knowledge of your director personal data as a potential fraud attempt.
5. Consider a CIFAS protective registration.
If you are concerned that your personal data may have been accessed and used for fraud, CIFAS protective registration adds a flag to your credit file that requires lenders to take additional steps before processing any application made in your name. It costs a small annual fee and provides meaningful protection against account-opening fraud.
How to Turn This Into a Competitive Advantage
This incident demonstrates something that security-aware businesses can use directly with their clients, suppliers, and partners.
The government's own digital infrastructure failed a basic security test. Not because of a sophisticated attack. Because of an authorisation flaw introduced in a routine system update, that sat undetected for five months, and was discovered by pressing the back button.
If the UK's official corporate register cannot implement basic access controls, your clients and partners need to know that security competence is not universal. Businesses that can demonstrate genuine security awareness, including knowing about incidents like this and taking proactive steps, stand apart from those who simply assume government systems are safe.
Specifically:
Use this to review your own access controls. The Companies House flaw was a textbook authentication versus authorisation failure. Are your own systems checking not just who is logged in, but what they are actually allowed to access? If you do not know the answer, find out.
Brief your clients if you handle their company details. If you are an accountant, solicitor, bookkeeper, or any professional who holds company registration details for clients, send them a note this week. Tell them what happened, what you have done to check their records, and what they should do. That is the kind of proactive communication that builds lasting client relationships.
Document your response. When clients or tenders ask about your approach to third-party data security, this incident and your response to it is a concrete example. You knew about it, you checked your records, you took action.
How to Sell This to Your Board
If you are bringing this to a board or management discussion, here are the arguments that will land:
Financial exposure is real and quantifiable. If an attacker used this vulnerability to open credit in your company's name, the financial and reputational consequences fall on you. Fraud investigation, credit repair, legal costs, and potential liability are all on the table.
The government cannot be assumed to protect your data. This is a government-run system, independently tested, restored to service, and the underlying cause was a routine system update. If this can happen to Companies House, the same class of failure exists in any digital system. Your own systems need their own access control review.
You have a GDPR obligation to be aware of data breaches affecting your company's data. Even where you are not the data controller responsible for the breach, the fact that your directors' personal data was held by a third party that has now experienced a breach has implications for your own record-keeping and risk management.
Action today costs nothing. Checking your Companies House record and changing your authentication code takes fifteen minutes. The cost of not doing it, if your details were accessed and subsequently used for fraud, could be substantial.
