Companies House Security Breach Exposed Five Million Company Dashboards

Monday 7 June 2026: The Day After the Horse Bolted

Companies House finally closed a catastrophic security vulnerability last weekend that had exposed the private dashboards of all five million registered UK companies since October 2025. The exploit was so elementary that a determined ten-year-old with basic web browsing skills could have accessed your company's confidential filing system.

The vulnerability, discovered by Ghost Mail's John Hewitt on 12 March and reported by Tax Policy Associates five days later, required nothing more sophisticated than logging into your own company dashboard, selecting 'file for another company', entering any target company number, and pressing the back button when prompted for an authentication code.

Congratulations. You're now in someone else's private filing system.

What This Means for Your Monday Morning

Every company director should immediately verify their Companies House records. The vulnerability exposed directors' home addresses, personal email addresses, full dates of birth, and filing history. Attackers could change company details and file accounts on behalf of hijacked companies.

Companies House has confirmed that while passwords and identity verification documents weren't exposed, the breach could facilitate fraud targeting small company directors: impersonation, phishing, and social engineering attacks designed to authorise fraudulent payments.

The registrar shut down its entire WebFiling system on Friday evening after being alerted, but this was five months after the vulnerability was introduced in October 2025.

The Workflow: Checking Your Records

Step 1: Log into your Companies House account and review all filed documents since October 2025. Look for any unauthorised changes to director details, registered addresses, or filed accounts.

Step 2: Check your personal information displayed in the dashboard. Has your home address, email, or date of birth been accessed or altered?

Step 3: Review your filing history. Any unexpected submissions could indicate unauthorised access.

Step 4: If you discover discrepancies, report them immediately to Companies House using their online contact form and consider notifying Action Fraud.

The timing couldn't be more unfortunate. This breach occurred during the twelve-month transition period for director identity verification, precisely when Companies House was promoting enhanced security measures under the Economic Crime and Corporate Transparency Act.

The Broader Picture: A Very Modern Irony

The vulnerability emerged as Companies House underwent its most significant transformation in 180 years, gaining new powers to query filings, reject inaccurate information, and strike companies off the register. Since March 2024, it has positioned itself as a major player in preventing economic crime.

Yet for five months, anyone could hijack any company's filing system by pressing 'back' at the right moment.

The exploit was so simple that it defies belief. According to Tax Policy Associates' analysis, an attacker needed only to incorporate their own £100 company to gain legitimate dashboard access, then use the vulnerability to target any of the other 4,999,999 companies on the register.

Companies House claims it's unaware of any instances where the vulnerability was exploited maliciously. But given the trivial nature of the attack and the five-month window, this seems optimistic at best. The registrar's letter to affected parties, issued on 17 March, acknowledged that individual company records could be "viewed one at a time" but insisted large-scale data extraction wasn't possible.

Small comfort for directors whose home addresses and personal details were exposed to anyone with basic web navigation skills.

Fee Increases During Security Failures

Companies House introduced substantial fee increases on 1 February 2026. Incorporation fees rose to £100, confirmation statements to £50, and voluntary strike-offs to £13. The official justification was funding enhanced security and verification systems.

Meanwhile, a vulnerability introduced three months earlier was happily exposing every company's private records.

The breach shows the risks of Companies House's accelerated digital transformation. New systems for identity verification, ACSP registration, and enhanced filing powers have been rolled out rapidly, but basic security testing appears to have been inadequate.

What's Coming Next

Companies House has promised to contact all potentially affected companies, though with five million registered entities, this will take considerable time. Directors should not wait for official notification before checking their records.

The registrar's enhanced enforcement powers, including fines up to £10,000 and the ability to strike companies off without court orders, were designed to combat economic crime. The vulnerability has potentially handed fraudsters a five-month head start.

Look for Companies House to announce a formal review of its security procedures in the coming weeks. The registrar's reputation for enhanced verification and anti-fraud measures has taken a significant blow.

Next deadline on the horizon: The ACSP registration requirements, originally scheduled for spring 2026, have been delayed to "no earlier than November 2026". Given the current security concerns, further delays seem inevitable.

Because apparently, when you're transforming the entire UK corporate registration system, testing whether the 'back' button works correctly is optional.