Pressing the Back Button Four Times Gave Anyone Access to 5 Million UK Firms' Private Data

The Vulnerability Nobody Checked For

Companies House is the official registry of every business incorporated in the United Kingdom. It holds records for more than five million active firms, including the names and personal details of every director, secretary, and person of significant control. Some of that data is public. A significant portion of it is not, including directors' residential addresses, dates of birth, and the email addresses used to manage filings. On March 12, 2026, security researcher John Hewitt of Ghost Mail discovered that all of it was accessible to anyone with a browser and a few seconds of patience.

The exploit was stunningly simple. A logged in user could select the option to file on behalf of another company, enter that company's unique registration number, and then press the browser's back button four times when prompted for an authentication code. Instead of being returned to an error screen or locked out, the system dropped the user directly into the target company's filing dashboard with full access. No password. No authentication code. No security challenge of any kind.

Five Months of Open Access

The vulnerability was not introduced by a recent change gone wrong overnight. An investigation by Companies House traced the flaw to an update deployed in October 2025. That means the authentication bypass was available for roughly five months before Hewitt identified it. During that window, any registered WebFiling user could have accessed any other company's dashboard, viewed non public data, and potentially submitted unauthorized filings including director changes and account modifications.

Tax policy researcher Dan Neidle of Tax Policy Associates publicized the vulnerability after Hewitt reported it, describing the security lapse as "astonishing." Companies House shut down the WebFiling service on Friday, March 14, and restored it on Monday, March 17, after deploying a patch. The organization reported the incident to the Information Commissioner's Office and the National Cyber Security Centre.

Companies House CEO Andy King stated that the organization believes "this issue could not have been used to extract data in large volumes or to access records systematically." That assessment may prove optimistic. The flaw required no technical sophistication to exploit, and the five month exposure window was more than sufficient for a determined actor to target specific companies whose directors' private information held value.

What Data Was Exposed

The information accessible through the bypass went beyond what Companies House makes available through its free public search. While anyone can look up a company's name, registered office address, and basic filing history, the WebFiling dashboard exposed data that directors had every reason to expect would remain private.

• Directors' full residential addresses, not just the service addresses shown on public records
• Complete dates of birth, rather than the month and year shown publicly
• Company email addresses used for filing correspondence
• The ability to submit filings on behalf of the company, including changes to director information

Companies House confirmed that passwords, identity verification documents such as passports, and previously filed financial accounts were not accessible through the vulnerability. But for identity theft, targeted harassment, or corporate fraud, the combination of a director's full name, home address, date of birth, and email address is more than sufficient.

Why This Matters Beyond the UK

Government operated databases that handle sensitive business information exist in every jurisdiction. The Companies House incident is a case study in how a single authentication logic error, one that would likely have been caught by basic penetration testing, can expose an entire national business registry. The vulnerability did not require a zero day exploit, a compromised supply chain, or a sophisticated attack toolkit. It required pressing the back button.

For compliance officers and data protection professionals, the incident raises immediate questions about government data processors. Companies that provided their directors' personal information to Companies House did so under a legal obligation. They had no choice but to submit that data, and they had no ability to audit how it was stored or protected. When the data processor is the government itself, the usual remedies available under data protection law become significantly more complicated to pursue.

The ICO investigation will determine whether Companies House met its obligations under UK GDPR to implement "appropriate technical and organizational measures" to protect personal data. A five month window of unauthenticated access, caused by a regression introduced during a routine update, suggests the answer may not be favorable.

What Affected Firms Should Do Now

Companies House has urged all five million registered UK businesses to review their online records and verify that no unauthorized filings were submitted during the exposure window. Directors should check that their registered details, including service addresses and appointed officers, have not been altered. Any discrepancies should be reported to Companies House immediately.

Directors whose residential addresses were accessible through the vulnerability should consider whether they are at elevated risk of identity fraud. Monitoring credit reports and being alert to phishing attempts that reference their company roles is advisable. The exposed email addresses also create an opening for highly targeted phishing campaigns that appear to come from Companies House itself or from other directors within the same organization.

The broader lesson is familiar but worth repeating. Authentication is only as strong as its implementation. A system that can be bypassed by pressing the back button was never truly authenticated at all. And when the system in question holds the private details of every company director in a major economy, the consequences of that failure extend far beyond the technical.