5 Million UK Companies Left Exposed as Security Flaw Lets Directors Access Any Business Records

A critical security vulnerability in Companies House has exposed the personal and business data of directors across 5 million UK companies, demonstrating how even basic access control failures can create systemic risks across the entire business ecosystem. The flaw allowed any authenticated director to access confidential information belonging to other companies through simple browser navigation.

The vulnerability was a classic session management failure that enabled directors to view and potentially modify sensitive business records of companies they had no legitimate access to. According to reporting from Infosecurity Magazine, the breach occurred when users could simply use their browser's back button to navigate between different company records whilst maintaining elevated access privileges.

Key Facts:
- 5 million UK companies had their confidential business data exposed through the flaw
- Directors could access and potentially modify records of any registered UK business
- The vulnerability exploited basic browser navigation combined with poor session management
- Companies House serves as the central registry for all UK limited companies and LLPs

What This Means for Business Identity Security

This incident highlights a fundamental weakness in how business identity verification systems handle session management and access controls. The flaw demonstrates that even government-grade systems can fail at implementing basic security principles, creating cascading risks for every business that relies on these foundational services. The NCSC's guidance on identity and access management specifically warns against session fixation and privilege escalation vulnerabilities of exactly this type.

For UK businesses, this represents both a direct data exposure risk and a broader systemic concern about the security of critical business infrastructure. The breach potentially exposed director personal details, company financial information, and other confidential business records that could facilitate identity fraud, business impersonation, or targeted social engineering attacks. This vulnerability mirrors similar access control failures affecting UK businesses across multiple sectors, highlighting the need for robust identity governance frameworks.

Boardroom Questions

• How confident are we that our own business registration and identity verification processes would detect fraudulent filings made using data exposed in this breach?
• What controls do we have in place to verify the authenticity of supplier and partner business registrations that may have been compromised?
• Are we monitoring for any suspicious activity related to our company registration details that could indicate fraud attempts using exposed data?

Quick Diagnostic

• Do you regularly monitor your Companies House filing history for unauthorised changes or suspicious activity?
• Have you implemented additional verification steps for high-risk business transactions that rely on Companies House data?
• Can you detect if someone attempts to impersonate your business using information that may have been exposed in this breach?