The system that has recently leaked directors’ home addresses through a supporting icon is the same one the UK government intends to store biometric data in.
UK’s Companies House briefly turned its own corporate register into a self-service fraud toolkit. A vulnerability in the UK’s official business registry permitted public access to the private records of other companies by simply pressing the back button without any hacking needed.
Directors’ home addresses, email addresses, and their dates of birth were all accessible to the public for reading, besides editing by anyone who knew where to look.
Companies House is the government body where every limited liability company must legally register to exist. This registry holds the official record of who operates Britain’s businesses. This information includes the personal details of every director. When incorporating a company in the UK, the information is recorded in the register. There is no option out.
There is interest in the timing of this finding. Since November 25th, all directors in the UK have been legally required to verify their identities through GOV.UK One Login to act in their roles. This procedure was for feeding passport scans, biometric data and government credentials into the same companies’ House infrastructure. That is the same system whose dashboard just handed out private director records to anyone who pressed the back button.
Founder of Tax Policy Associates, Dan Neidle, flagged the issue to Companies House on Friday, 13 March ‘26. Neidle was blunt about what the flaw made possible. He told the Press Association that people could obtain enough data about a company and its directors to potentially commit fraud or pretend to be them. He added that the risk wasn’t just passive exposure. Anyone with access could update a company’s registered address to their own. Also, intercept official correspondence, besides documents. He went on to add that one can do all kinds of damage.
