The UK's Open Book: How Public Data Turns Directors Into Targets
Before an attacker sends a phishing email, makes a fraud call, or impersonates your bank, they do their homework. For a UK SMB director, that homework takes under twenty minutes and costs nothing.
This is the uncomfortable reality the podcast series is built around. But the Monday episode is forty minutes of audio. This is the written version with the detail, the sources, and the specific steps that make the problem less overwhelming.
Why the UK Is Unusually Exposed
Every country with a company register has some version of this problem. The UK version is particularly sharp because of how several systems interact.
The Companies House register is public, searchable, and structured. It offers an API with a published rate limit of 600 requests per five minutes. That limit matters for bulk data collection. It does not meaningfully restrict a human attacker who wants to research one business. The register exposes registered office addresses, director names, persons with significant control, filing history, financial accounts, confirmation statements, and charges.
From that data alone, an attacker can establish who controls the business, identify the finance decision-maker, assess company health, spot recent changes, and find address patterns across current and historical filings.
Then there is the electoral register.
The Electoral Register Nobody Talks About
The UK electoral register exists in two forms. The full register is restricted to specified uses including law enforcement, credit checks, and election administration. The open register is available for general commercial sale. You are on the open register by default unless you actively opted out.
The open register is sold to commercial buyers including credit reference agencies, direct marketing companies, and data brokers. Those brokers package it, enrich it with other sources, and sell it again. The result is that your home address, correlated with your name, is a commercial product available to anyone willing to pay a modest fee.
For a director who used or still uses their home address as a Companies House service address or registered office, the two sources combine. Business identity and personal address are linked in a searchable, purchasable profile.
From 27 January 2025, Companies House introduced new measures allowing directors to remove their residential addresses from historical filings if they were previously used as the companyβs registered office. These changes stem from the Economic Crime and Corporate Transparency Act 2023. The process costs Β£30 per application. The requirement to update the live registered office address before applying for suppression still applies. And suppression of the Companies House record does not reach copies already taken by data brokers.
Once data leaves the original source, it does not vanish because the source was updated.
LinkedIn: The Accidental Organisational Chart
LinkedIn is an excellent professional networking platform. It is also an extremely efficient reconnaissance tool.
Director profiles reveal roles, reporting structures, tenure, past employers, and current projects. Colleague profiles reveal the organisational map. Job adverts are particularly revealing. A job advert for an IT administrator that lists Microsoft 365, Fortinet, Datto, Sage, and an ongoing SharePoint migration does not describe a role. It describes the companyβs entire technology stack, its cloud migration status, its backup provider, its finance software, and implicitly its security posture.
A targeted phishing email built on that information can reference the SharePoint migration, impersonate the Microsoft 365 support team, or spoof an invoice from a Datto reseller. None of that is exotic. All of it is made possible by public professional information that nobody removed because nobody thought to.
Domain Records and Email Infrastructure
Public DNS records show which provider handles a companyβs email. MX records identify Microsoft 365, Google Workspace, Mimecast, Proofpoint, or Hornetsecurity. SPF, DKIM, and DMARC records reveal email authentication posture. Certificate transparency logs expose subdomains. Old login portals and decommissioned remote access gateways remain visible long after they stop being used.
Attackers use this not to launch technical exploits but to personalise lures. If they know the email provider, the phishing page mimics that provider. If they find an old VPN portal, they know what the support escalation might reference. If DMARC is absent or in monitoring mode, domain spoofing becomes easier.
The Combined Profile
The output of twenty minutes of free, passive, legal research on a typical UK SMB director:
- Full name, company role, and directorships at other entities
- Registered office address and any historic home address appearances
- Company financial health, filing behaviour, and recent structural changes
- Key personnel beyond the director: finance lead, operations lead, external IT provider
- Current and past suppliers from public case studies, website badges, and LinkedIn posts
- Technology stack from job adverts and platform-specific posts
- Email provider from DNS records
- Organisational culture and communication style from LinkedIn activity
- Travel patterns, events attended, and public commitments from social media
None of this constitutes a breach. None of it required hacking. None of it is illegal to gather.
The Practical Fix
The good news is that most of the risk is addressable through administrative action rather than technical investment.
Check Companies House now. Look for home addresses in any current or historical officer records or registered office history. Fix live records first, then pursue suppression for historical records where eligible. The application costs Β£30 and requires the registered office to already show a non-residential address.
Opt out of the open electoral register. Contact your local council or use gov.uk. It takes minutes and does not affect your right to vote. It removes your home address from the commercially available version of the register.
Review LinkedIn and job adverts. You can recruit without publishing a technology inventory. Remove specific platform names, vendor references, and migration details from public job posts. Review director profiles for unnecessary personal detail.
Check domain records. Confirm SPF, DKIM, and DMARC are configured. Identify and decommission old portals and remote access routes.
This is housekeeping. Boring, effective housekeeping.
How to Turn This Into a Competitive Advantage
For MSPs and IT advisers, OSINT exposure audits are a billable service most competitors have not developed. Helping a client search themselves as an attacker would, documenting what is visible, and walking through the fix list is a concrete deliverable with immediate client impact.
For business owners, demonstrating to larger clients and procurement teams that you actively manage director exposure is a differentiator. Most SMBs never address this. Being able to say you do, with documentation, is a supply chain security signal that procurement departments increasingly value.
How to Sell This to Your Board
Three points that land without needing a technical dictionary.
The research phase of a targeted attack costs the attacker nothing. There is no investment barrier between a criminal and a detailed profile of your directors. That asymmetry matters.
The fix is mostly administrative and mostly free. Companies House suppression costs Β£30. Electoral register opt-out costs nothing. LinkedIn hygiene costs an afternoon. These are not budget conversations.
UK directors are more exposed than their European equivalents in several similar economies. This is not a market failure or a technical problem. It is a consequence of specific UK data publication obligations and a data broker market that has grown regardless of GDPR. Your directors cannot wait for that to be fixed before reducing their personal exposure.
What to Do This Week
- Search your company on Companies House. Check every address field in current and historical records.
- Check whether home addresses appear under any officer or PSC record, current or historic.
- Opt out of the open electoral register at your local council.
- Read your own LinkedIn profile as an attacker would. Remove what should not be there.
- Review the last three job adverts your business published. Identify what they reveal about your systems.