UK Companies House Browser Back Button Exposes 5.43M Companies' Directors' Addresses and Dates of Birth for Five Months

• .What: Broken access control vulnerability in the Companies House WebFiling service allowed any authenticated user to access any other company's private dashboard and submit unauthorized filings by pressing the browser back button four times after initiating a filing for another company.
• .Who: Companies House (UK government executive agency, Department for Business and Trade). 5.43 million registered companies and their directors, secretaries, and persons of significant control potentially affected. Any of the approximately 7 million WebFiling users could have exploited the flaw.
• .How: Broken access control - session management failure introduced during October 2025 migration from Government Gateway to GOV.UK One Login authentication. The application failed to invalidate the prior session context when a user navigated backward through browser history after being denied access to another company's filing portal.
• .Data: Directors' full dates of birth (day, month, year), residential addresses (not normally published on the public register), company registered email addresses. Unauthorized filing capability (director changes, accounts submissions, registered office changes).
• .Actor: N/A - no threat actor. This was a software vulnerability in a government service. Discovered by John Hewitt (Ghost Mail), escalated by Dan Neidle (Tax Policy Associates).
• .Impact: WebFiling service taken offline for 67.5 hours (13:30 Friday March 13 to 09:00 Monday March 16). ICO and NCSC notified. 5.43 million companies instructed to review their records and filing history. ICO investigation ongoing.

On October 13, 2025, Companies House migrated its WebFiling service from the legacy Government Gateway authentication system to GOV.UK One Login - a centralized single sign-on platform designed to provide a unified identity layer across UK government digital services.

The migration replaced the previous shared-access model, where multiple users within a company could share a single login, with a system in which each individual must create a personal GOV.UK One Login account and link it to a company using a unique authentication code.

The update was intended to strengthen identity assurance and reduce unauthorized access. It introduced the opposite.

The vulnerability worked as follows. A user logged into the WebFiling service using their own valid GOV.UK One Login credentials, accessed their own company's dashboard, and then selected the "file for another company" option.

The system prompted them to enter the target company's registered number - any of the 5.43 million companies on the register - and then requested the target company's unique authentication code.

At this point, the user did not have the authentication code and would normally be blocked. Instead, pressing the browser back button four times returned the user to a dashboard - but not their own dashboard.

The application served the target company's private dashboard, bypassing the authentication code check entirely.

From the target company's dashboard, the unauthorized user could view non-public information that Companies House suppresses from the public register: directors' full dates of birth (the public register shows only month and year; the dashboard shows day, month, and year), residential addresses filed under the Companies Act 2006 provisions that allow directors to use a service address on the public register while providing their home address to Companies House, and the company's registered email address.

More critically, the unauthorized user could also submit filings against the target company - including changes to director information, accounts submissions, and registered office changes.

Confirmation emails for these filings would be sent to the unauthorized user, not to the legitimate company contacts, meaning fraudulent filings could be submitted without the target company's knowledge.

The vulnerability was introduced in the October 2025 update and remained exploitable for approximately five months.

John Hewitt, operations director at Ghost Mail - a corporate services provider - discovered the flaw on Thursday, March 12, 2026. He attempted to contact Companies House directly but did not receive a response.

He then contacted Dan Neidle, founder of Tax Policy Associates, a tax policy think tank.

Neidle verified the vulnerability and reported it to Companies House, which shut down the WebFiling service at 13:30 GMT on Friday, March 13, 2026. The service was restored at 09:00 GMT on Monday, March 16, 2026, after independent testing confirmed the fix.

Companies House CEO Andy King stated: "We believe that this issue could not have been used to extract data in large volumes or to access records systematically.

" Companies House confirmed that no passwords were compromised, no identity verification data (such as passport information used for the new identity verification requirements) was accessible, and no previously filed documents could have been altered.

The agency stated it had "no reports at this stage of data having been accessed or changed without permission" but acknowledged that analysis was ongoing.

The following non-public data was accessible through the vulnerability:

• .Directors' full dates of birth - including the day component, which is suppressed from the public register under the Companies Act 2006. The public register shows only month and year. The full date of birth is a key identity verification element used in KYC checks, credit applications, and fraud schemes.
• .Directors' residential addresses - filed under Section 240 of the Companies Act 2006, which allows directors to provide a "service address" for the public register while supplying their actual home address to Companies House. This provision exists specifically to protect directors from physical threats, harassment, and unwanted contact. The vulnerability exposed the exact data that directors had legally opted to suppress.
• .Persons of significant control (PSC) residential addresses - similarly protected under the Companies Act, these addresses identify individuals holding more than 25% of shares or voting rights.
• .Company registered email addresses - used for official communications between Companies House and the company.
• .Dashboard filing capabilities - the ability to submit director changes, accounts, registered office changes, and other filings against the target company without authorization. Confirmation emails for unauthorized filings would route to the attacker, not the company.

The exposure of residential addresses and full dates of birth is particularly severe for directors who have actively used the legal protections available to suppress this information.

These include directors of companies involved in sensitive sectors, individuals who have experienced threats or harassment, and directors whose home addresses were previously protected by court orders or Companies House suppression applications.

The vulnerability rendered all of these protections meaningless for five months.

1. Broken access control during authentication flow. The core failure is OWASP A01:2021 - Broken Access Control.

When a user initiated a filing for another company and was prompted for the target company's authentication code, the application loaded the target company's session context into the browser's navigation history before the authentication check completed.

Pressing the browser back button navigated to this pre-loaded context, bypassing the authentication gate entirely. The application did not verify, on each page load, that the currently authenticated user had authorization to view the data being served.

This is a textbook Insecure Direct Object Reference (IDOR) compounded by a session management failure.

2. No server-side authorization check on dashboard access. The dashboard endpoint did not independently verify that the requesting user's session was authorized to access the specific company's data.

Instead, it relied on the assumption that the client-side authentication flow would prevent unauthorized navigation - a violation of the principle that security controls must be enforced server-side, not client-side.

3. Browser history pre-loading of protected resources. The application pre-loaded the target company's dashboard data into the browser's navigation stack before the authentication code was validated.

This meant the data was already available in the client's browser history regardless of whether the user completed the authentication step. The back button simply retrieved what the server had already sent.

4. No session isolation between companies. The WebFiling service did not maintain strict session isolation between the user's own company context and the target company context during the "file for another company" workflow.

Once a user initiated a filing for another company, the session context shifted to the target company without a completed authorization check - and without invalidating the previous navigation state.

5. Inadequate regression testing of the GOV.UK One Login migration. The October 2025 migration from Government Gateway to GOV.UK One Login was a fundamental change to the authentication architecture.

The back-button bypass is not an edge case - it is a standard access control test in any web application security assessment. OWASP's Testing Guide explicitly includes "Testing for Bypassing Authentication Schema" (OTG-AUTHN-004), which covers browser history manipulation.

Companies House holds ISO 27001 certification, which requires regular security testing. PCI DSS certification requires quarterly vulnerability scans and annual penetration testing.

A back-button authentication bypass should have been caught in any competent security review of the new authentication flow.

6. Five-month detection gap. The vulnerability was live from October 13, 2025, to March 13, 2026 - approximately 152 days. Companies House did not detect the flaw through internal testing, automated scanning, user-reported anomalies, or security audit.

It was found by an external user. This indicates a failure in continuous monitoring, post-deployment validation, and anomaly detection. There is no public evidence that Companies House conducted a post-deployment security review of the GOV.UK One Login migration.

7. No rate limiting or anomaly detection on cross-company access patterns. CEO Andy King's reassurance that the flaw "could not have been used to extract data in large volumes" relies on the one-at-a-time access limitation.

However, an automated script could have iterated through all 5.43 million company numbers sequentially, accessing each dashboard one at a time.

Without rate limiting, anomaly detection, or behavioral analysis on the "file for another company" workflow, there was no control preventing systematic enumeration over the five-month window.

No threat actor IOCs - incident was a broken access control vulnerability.

Vulnerability Classification:

• .OWASP A01:2021 - Broken Access Control / IDOR
• .Introduced during October 2025 GOV.UK One Login migration

Technical Details:

• .Affected: Companies House WebFiling service
• .Exposure: 152 days (October 13, 2025 - March 13, 2026)
• .5.43 million companies potentially accessible
• .Browser back button x4 bypassed authentication

• .UK GDPR Article 5(1)(f) - Integrity and confidentiality principle. The controller must process personal data in a manner that ensures appropriate security, including protection against unauthorized access. Exposing directors' residential addresses and full dates of birth to any authenticated user for five months is a clear violation of the integrity and confidentiality principle.

• .UK GDPR Article 32 - Security of processing. The controller must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. A broken access control vulnerability that allows any user to view any other user's protected data - exploitable by pressing the browser back button - fails the Article 32 standard. The ICO will assess whether Companies House's testing, deployment, and monitoring practices were commensurate with the sensitivity of the data processed.

• .UK GDPR Article 33 - Notification to the supervisory authority. Controllers must notify the ICO within 72 hours of becoming aware of a personal data breach. Companies House became aware on March 13, 2026, and proactively reported to the ICO on the same day. This obligation appears to have been met.

• .UK GDPR Article 34 - Communication to the data subject. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, the controller must notify affected individuals without undue delay. The exposure of residential addresses - particularly for directors who had specifically used legal protections to suppress them - constitutes high risk. Companies House emailed all registered companies but has not confirmed individual notification to all directors whose protected data was exposed.

• .Data Protection Act 2018 (UK) - Sections 155-157 give the ICO power to issue assessment notices requiring organizations to demonstrate compliance. The ICO may issue an enforcement notice or a penalty notice. Maximum fine under UK GDPR: GBP 17.5 million or 4% of annual global turnover, whichever is higher. Companies House annual income for 2024-2025 was GBP 220.3 million. Four percent of turnover equals approximately GBP 8.8 million. As a government executive agency, Companies House has not historically been fined by the ICO, which has generally pursued reprimands and enforcement notices against public bodies rather than financial penalties. However, the ICO has signaled a willingness to fine public sector organizations - it fined the Ministry of Defence GBP 350,000 in December 2023 for an email data breach.

• .Companies Act 2006 - Section 240 (service addresses for directors) and Section 790ZF (PSC address protection). These statutory provisions exist to protect directors and PSCs from having their residential addresses disclosed on the public register. The WebFiling vulnerability negated these protections entirely. While Companies House is the custodian of this data rather than a third party, the failure to protect statutorily suppressed information may expose it to legal claims from directors whose suppressed addresses were accessed.

• .Computer Misuse Act 1990 - Section 1 (unauthorized access to computer material). Any individual who exploited the vulnerability to access another company's dashboard without authorization may have committed an offense under Section 1, carrying a maximum penalty of 2 years' imprisonment and/or an unlimited fine. However, prosecution would require proving that the individual knew the access was unauthorized - which may be difficult given that the application served the data through its normal interface in response to standard browser navigation.

• .NIS2 Directive applicability - Companies House, as a government entity providing essential services to the UK's corporate governance infrastructure, would fall within the scope of NIS2-equivalent regulations if the UK adopts a comparable framework. The Cyber Security and Resilience Bill, currently before Parliament, is expected to extend mandatory incident reporting requirements to a broader range of public sector entities.

1. Whether the vulnerability was exploited during the five-month window. Companies House has stated it has "no reports" of unauthorized access but has not confirmed that its logging infrastructure is sufficient to detect exploitation retrospectively.

The back-button bypass may not generate distinguishable log entries from normal navigation patterns.

2. Whether any unauthorized filings were actually submitted.

Companies House stated that unauthorized filings "may have been possible" but has not confirmed whether any fraudulent director changes, accounts submissions, or registered office changes were made through the vulnerability during the October 2025 to March 2026 window.

3. The total number of WebFiling users who accessed the "file for another company" workflow during the vulnerability window. This figure would indicate the upper bound of potential exploitation.

4. Whether Companies House conducted a post-deployment security review of the GOV.UK One Login migration in October 2025, and if so, why the back-button bypass was not detected.

5. Whether the independent security testing conducted before the March 16 restoration was a full penetration test or a targeted fix verification.

1. Enforce server-side authorization on every dashboard request. Every request to the company dashboard endpoint must independently verify that the authenticated user's session is authorized to access the specific company's data.

This check must occur on the server, not in the client-side authentication flow. The application must never serve protected data to the browser before authorization is fully confirmed - regardless of navigation path, browser history state, or URL manipulation.

This is OWASP Broken Access Control 101.

2. Invalidate session context on authentication failure. When a user fails an authentication check - in this case, failing to provide the target company's authentication code - the application must immediately destroy the session context associated with the failed request.

The target company's dashboard data must never be loaded into the browser's navigation history, cache, or DOM until the authentication code is validated.

Implement HTTP cache-control headers (Cache-Control: no-store, no-cache, must-revalidate) on all protected pages to prevent browser history from retaining sensitive data.

3. Conduct mandatory penetration testing on all authentication architecture changes. The October 2025 migration from Government Gateway to GOV.UK One Login was a wholesale replacement of the authentication system.

Any change of this magnitude requires a dedicated penetration test covering all OWASP authentication bypass scenarios - including browser history manipulation, back-button navigation, session fixation, and direct URL access.

ISO 27001 Annex A control A.14.2.8 (system security testing) requires testing security features during development. This test was either not performed or was performed inadequately.

4. Implement cross-company access rate limiting and behavioral analytics. The "file for another company" workflow should have rate limits, anomaly detection, and behavioral baselines.

Any user accessing more than a small number of other companies' dashboards within a defined period should trigger automated alerts. This control would have both detected exploitation and limited the blast radius to individual company lookups rather than systematic enumeration.

5. Deploy post-deployment security regression testing. After any production deployment - particularly one affecting authentication - automated security regression tests should verify that access controls function correctly.

These tests should specifically include negative test cases: verifying that unauthorized users cannot access protected resources through any navigation path, including back-button navigation, direct URL entry, and cached page retrieval.

6. Implement real-time filing anomaly detection.

Given that the vulnerability enabled unauthorized filings, Companies House should implement real-time monitoring for filing anomalies - including filings submitted by users who have not previously filed for the target company, filings submitted immediately after a "file for another company" workflow, and filings where the submitter's IP or session metadata differs from the company's historical filing patterns.

These controls would detect and block fraudulent filings regardless of the access control vulnerability.

GOV.UK (Companies House), Tax Policy Associates (Dan Neidle), The Register, Help Net Security, BleepingComputer, Cybersecurity News, Computer Weekly, SecurityWeek, UpGuard, ACCA Global, GB News, Cybersecurity Intelligence, CyberPress, SC Media, Digit.fyi, Punchline Gloucester, Bright SG, Elemental CoSec, Morris Owen, Virtual Company Secretary, Companies House Annual Report 2024-2025, GOV.UK One Login