Companies House Data Breach Exposes Five Million UK Businesses: What You Need to Do Now

On Friday 13 March 2026, a routine browser action — pressing the back button four times — exposed one of the most significant data protection failures in UK public sector history. Companies House confirmed that a critical vulnerability in its WebFiling service had left the personal data of directors across 5 million registered companies accessible to anyone with a login. The flaw had been present for five months. For UK SMEs that rely on Companies House as a trusted government platform, this breach demands immediate attention and decisive action.

What Happened: A Five-Month Security Failure

The vulnerability traces back to October 2025, when Companies House updated its WebFiling platform to migrate from Government Gateway to GOV.UK One Login — the new single sign-on framework for government services. During integration, a critical authentication flaw was introduced that went undetected through testing, QA, and five months of live operation.

John Hewitt, Director of Ghost Mail, discovered the flaw by accident. Pressing the browser's back button four times whilst logged in broke the authentication session, redirecting him into another company's dashboard — complete with directors' personal information, filing history, and the ability to submit filings on their behalf.

Hewitt reported the issue immediately. Companies House took WebFiling offline from 13-16 March for emergency patching and notified the ICO and NCSC, both of which have opened investigations.

The Back Button Exploit: How It Worked

This was not a sophisticated zero-day exploit. It was a basic session management failure. The GOV.UK One Login integration failed to validate session tokens during backward browser navigation, creating a race condition that served another user's session data.

Aspect	Expected Behaviour	Actual Behaviour
Session Validation	Each page load validates the session token server-side	Back-button navigation bypassed server-side checks
Cache Control	Sensitive pages marked no-cache, no-store	Dashboard pages were cached, serving stale sessions
Authentication State	One Login tokens bound to specific sessions	Token binding broke during backward navigation
Access Controls	Dashboard restricted to authorised users	Broken sessions landed users in other companies' dashboards

This class of vulnerability — broken authentication through improper session management — ranks consistently in the OWASP Top 10. That it survived five months in a system handling data for millions of companies raises serious questions about Companies House's testing processes.

What Was Exposed vs What Was Safe

Accessible data:

• Directors' full dates of birth (normally partially redacted in public filings)
• Residential addresses, including those with suppression orders
• Company email addresses linked to filing accounts
• Ability to submit filings — accounts, director changes, confirmation statements — to other companies
• Potential visibility of company authentication codes

NOT compromised:

• Passwords and login credentials
• Identity verification documents (passports, ID scans)
• Existing filed documents could not be altered
• Mass extraction was not feasible due to the manual nature of the exploit

How Cybercriminals Could Exploit This

Companies House states no data was accessed or changed without permission. However, exploitation would have been difficult to detect — a user in another company's dashboard would appear as a normal session in logs.

With directors' full dates of birth, home addresses, and company emails, criminals can craft highly convincing CEO fraud and impersonation attacks. Full dates of birth plus residential addresses provide two of three key data points for UK identity fraud — enough to open bank accounts or register companies in directors' names.

This is the latest in a series of public sector data disasters. A bug of this scale, sitting undetected for five months, is a gift to cybercriminals. Even if Companies House says no data was accessed maliciously, the window of exposure was enormous — and proving a negative is virtually impossible.
— Graeme Stewart, Check Point Software Technologies

Unauthorised filings could have been the most damaging vector — fraudulent director appointments, false accounts, or altered confirmation statements all become part of the official public record and can take months to correct.

UK Public Sector Breaches: A Pattern

Date	Organisation	Incident	Records Affected
Mar 2026	Companies House	WebFiling auth bypass via browser back button	5 million companies
Jan 2026	Ministry of Defence	Payroll breach exposing personnel data	272,000 personnel
Nov 2025	NHS England	Patient records via API misconfiguration	1.1 million records
Aug 2025	Electoral Commission	Server breach undetected for over a year	40 million voters
Mar 2025	HMRC	Self Assessment session fixation vulnerability	Unknown scope

The recurring theme is basic failures — misconfigured APIs, broken session management, inadequate access controls — not sophisticated attacks. Government platforms cannot be treated as inherently secure simply because they carry a .gov.uk domain.

What Your Business Must Do Now

Step 1: Review Your Filing History

Check your company's filing history for unrecognised submissions between October 2025 and March 2026:

• Director appointments or resignations you did not authorise
• Changes to your registered office address
• Annual accounts or confirmation statements with unfamiliar details
• Amendments to persons with significant control (PSC) records

Step 2: Verify Directors' Information

Contact all listed directors and verify their details. Advise them to:

• Place fraud alerts with Experian, Equifax, and TransUnion
• Monitor credit reports for unauthorised applications
• Register with the CIFAS protective registration service
• Watch for targeted phishing referencing their Companies House details

Step 3: Change Authentication Codes

Request a new Companies House authentication code immediately. A new code will be posted to your registered office within five working days.

Step 4: Alert Your Teams

Ensure finance and administration staff are aware. They should watch for emails from Companies House, calls referencing director details, and requests to update banking information.

Long-Term Security: Building Resilience

This breach should catalyse a review of your broader security posture. Your data security is only as strong as the weakest platform in your supply chain.

Cyber Essentials Certification

The UK Government's Cyber Essentials scheme addresses five key technical controls that mitigate the majority of risks from breaches like this.

Organisations with Cyber Essentials are 80% less likely to make a cyber insurance claim, and certification is increasingly required for government contracts.

Filing Governance

Many SMEs treat Companies House credentials as a shared resource. This breach should prompt a rethink:

• Limit authentication code access to the minimum required people
• Implement dual-authorisation for filings
• Maintain a filing log recording who, when, and why
• Set up Companies House email alerts for all filings against your company
• Review third-party access — ensure accountants and secretaries have robust security

GDPR Implications

Companies House notified the ICO within the required 72 hours under Article 33 of the UK GDPR. Given exposed residential addresses and full dates of birth, Article 34 individual notification requirements are almost certainly triggered.

If you hold directors' personal data that has been compromised through this third-party breach, you may need to assess whether your own ICO notification is required.

The ICO will examine not just the breach itself, but the chain of decisions that led to a basic authentication flaw surviving five months in production. Organisations handling data at this scale must catch such vulnerabilities before deployment.

Key GDPR Actions

• Document the incident in your breach register
• Assess risk to affected directors and determine if notification is appropriate
• Review data processing records for lawful basis of director data
• Update risk assessments to reflect increased exposure

Trust in Government Digital Services

Every UK limited company must file with Companies House — there is no alternative. When a monopoly service suffers a breach of this magnitude, the power imbalance between provider and user is laid bare. The UK Government has positioned GOV.UK One Login as the cornerstone of its digital identity framework. If integrating it into Companies House introduced a vulnerability this basic, serious questions arise about the broader rollout.

The practical takeaway: treat government platforms with the same security scepticism as any third-party service. Assume breaches will happen, monitor your data actively, and maintain your own controls.

How CloudSwitched Can Help

At CloudSwitched, we help UK SMEs build practical cyber security defences that work alongside commercial priorities. Our Cyber Essentials certification service takes you from assessment to certification with hands-on support, implementing controls that genuinely strengthen your posture.

Our managed IT support provides ongoing monitoring, maintenance, and incident response — from proactive patching to alert monitoring, keeping defences current against evolving threats.

Following this breach, we are offering complimentary security reviews for UK SMEs. Our team can assess your posture, review your filing history for anomalies, and recommend practical steps to strengthen your defences.