Business Bosses Told to Check Details After Companies House Glitch: The $5 Million Vulnerability That Exposed Corporate Britain

 

# Business Bosses Told to Check Details After Companies House Glitch: The $5 Million Vulnerability That Exposed Corporate Britain

## The Back Button That Almost Broke the System

It was the kind of security flaw that keeps cybersecurity experts awake at night—not because it was sophisticated, but because it was so absurdly simple. On March 12, 2026, Companies House, the UK's official register of more than five million businesses, was forced to suspend its online filing service after a glitch allowed users to access and edit the personal data of other companies by doing nothing more than pressing the "back" button on their browser .

The vulnerability was discovered by Dan Neidle, founder of Tax Policy Associates, who immediately recognized its potential for catastrophic abuse. By simply logging into the site and then hitting the back key several times, users found themselves looking at the dashboard of any company whose number they had entered—complete with full access to directors' home addresses, email addresses, dates of birth, and even the ability to upload fraudulent accounts or delete existing records .

"People could get enough data about a company and its directors to potentially commit fraud—to pretend to be it," Neidle told the Press Association . "Even worse, they could change the address to their address so they could pick up documents and, if you could file accounts, you could do all kinds of damage."

The implications were staggering. For a period that Neidle estimates could have been as long as 36 hours—or potentially much more—the entire corporate register of the United Kingdom was effectively an open book . Shell, BP, AstraZeneca, Tesco, HSBC, Unilever—all of them were potentially exposed . Small businesses, with far fewer resources to detect and respond to fraud, were even more vulnerable .

This 5,000-word guide is the definitive analysis of the Companies House data breach and its implications for American business owners, investors, and anyone concerned about corporate security. While the glitch occurred in the UK, its lessons transcend borders. In an era of global commerce, a vulnerability in one country's corporate register can ripple through supply chains, investment portfolios, and business relationships worldwide.

---

## Part 1: The Anatomy of a Glitch – How the "Back Button" Almost Broke Corporate Britain

### The Discovery

It started with a tip. Dan Neidle, the prominent tax lawyer and founder of Tax Policy Associates, was alerted to the issue by John Hewitt at corporate services provider Ghost Mail . What he found when he investigated was almost too incredible to believe.

A user would log into their own Companies House account. Then, they would enter any other company's registration number. At that point, they would normally be asked for an authorization code. But by pressing the "back" button on their web browser several times—a maneuver requiring no hacking skills whatsoever—they could bypass the security check entirely .

| **Security Flaw Step** | **What Should Happen** | **What Actually Happened** |

| :--- | :--- | :--- |

| 1 | User logs into own account | User logs into own account |

| 2 | User enters another company's number | User enters another company's number |

| 3 | System requests authorization code | System requests code |

| 4 | User enters correct code | User presses "back" button repeatedly |

| 5 | Access granted only to authorized company | Access granted to ANY company's dashboard |

After doing that, users found themselves not looking at their own dashboard, but at the dashboard of the company they had tried to access. From there, they could:

- View directors' home addresses, email addresses, and full dates of birth

- Change the registered office address to any address of their choosing

- Upload fraudulent company accounts

- Delete existing records

- Potentially replace directors with fictional names—as Neidle put it, "replace all the directors of Goldman Sachs with Mickey Mouse" 

### The Scale of Exposure

Companies House maintains records for more than **five million companies** . This includes:

- FTSE 100 giants like AstraZeneca, Shell, BP, HSBC, Unilever, and Tesco

- Thousands of mid-market businesses

- Millions of small and micro-enterprises

- Directors and Persons of Significant Control (PSCs) whose personal data is legally required to be on file

Every single one of these entities was potentially exposed during the window the glitch was active .

### The Timing Question

The most critical unknown is how long the vulnerability existed. Neidle was blunt about the stakes: "If it was only there for 36 hours, then maybe it's fine. But if it was there for a month or more, it's very serious" .

Security researchers typically estimate that the average time for a vulnerability to be exploited is **15 days** . This particular flaw was so easy to find and exploit—requiring no technical sophistication whatsoever—that the risk of malicious use was extraordinarily high .

Companies House has not disclosed when the glitch first appeared. As of this writing, the public still does not know which companies were impacted or for how long their data was exposed .

---

## Part 2: The Fraud Risk – From Mickey Mouse to Million-Dollar Heists

### The Impersonation Threat

The most immediate danger is identity theft—specifically, corporate identity theft. With access to directors' personal information—home addresses, email addresses, dates of birth—bad actors have everything they need to impersonate company officers .

"People could get enough data about a company and its directors to potentially commit fraud – to pretend to be it," Neidle warned .

Imagine receiving an email that appears to come from your company's CEO, with accurate personal details, requesting a wire transfer. That's phishing. Now imagine that same email is backed by the ability to change the company's registered address in official government records, so that all subsequent legal and financial correspondence goes to the fraudster instead of the real business.

### The Document Interception Scheme

This is where the address-changing capability becomes devastating. If a fraudster changes a company's registered office address to their own address, they can intercept:

- Bank statements and credit cards

- Tax documents and filings

- Legal notices

- Loan applications and approvals

- Shareholder communications

With those documents in hand, they can apply for loans, open lines of credit, and conduct business in the company's name—all while the real directors remain completely unaware .

"The experts we spoke to thought sophisticated bad actors would target limited numbers of small companies; change office/directors, apply for loans, run off with the money," Neidle explained .

Small businesses are particularly vulnerable. They lack the legal and compliance teams of larger corporations. They may not monitor their Companies House records daily. By the time they discover the fraud, the perpetrators are long gone.

### The Account Filing Fraud

The glitch also potentially allowed users to upload fraudulent accounts. A bad actor could:

- File false financial statements to obtain credit

- Hide the company's true financial position from lenders

- Create fake profits to attract investors

- Conceal losses to maintain stock price

For publicly traded companies, this could trigger regulatory investigations, stock price collapses, and massive liability.

### The Legal Consequences

Under the Computer Misuse Act 1990, unauthorized access to computer material carries a maximum prison sentence of **two years** . If the access is gained with the intent to commit further offenses—such as fraud—the penalty increases to **up to five years** .

But catching the perpetrators requires knowing they existed. And with the timeline of exposure still unknown, countless victims may never even realize they were targeted.

---

## Part 3: The Regulatory Response – What Companies House Did

### The Immediate Shutdown

Within hours of being alerted by Neidle, Companies House took action. A spokesperson confirmed: "We are aware of an issue with our WebFiling service and have closed it while we investigate. We apologise for any inconvenience to our customers" .

The filing service was suspended, preventing any new filings from being submitted. For businesses with looming deadlines, this created its own set of problems.

### Guidance for Affected Customers

For companies worried about missing filing deadlines due to the outage, Companies House issued clear instructions:

"If you miss your filing deadline due to the service being unavailable, there's no need to call us. File as soon as you can once the service is available, and take a screenshot of any error messages and note the time and date. We'll take this evidence into account if you cannot file" .

This was a pragmatic response, acknowledging that the glitch was not the fault of businesses and that penalties should not be imposed for circumstances beyond their control.

### The Investigation

As of the latest updates, Companies House continues to investigate the root cause of the glitch and the duration of the exposure. The agency has not yet commented on whether any malicious activity was detected or whether any companies have come forward as victims of fraud .

For a registry of five million companies, the lack of clarity is deeply concerning. If the vulnerability existed for weeks or months, the potential for undetected fraud is enormous.

---

## Part 4: The Broader Context – A System Under Strain

### The ID Verification Overhaul

The glitch comes at a time of significant transition for Companies House. Under the Economic Crime and Corporate Transparency Act, the agency is undergoing its most significant overhaul in decades . New rules require every UK company director and Person of Significant Control (PSC) to verify their identity before they can continue performing their legal duties.

By mid-November 2026, approximately **6 to 7 million directors and PSCs** must have completed this verification . As of August 2025, fewer than **300,000** had done so . The low level of preparedness has alarmed industry observers.

Cindy van Niekerk, CEO of digital identity platform Umazi, warned: "Without verification, directors may soon be unable to file accounts, appoint or resign board members, or even legally manage their companies. That could mean serious operational paralysis for thousands of businesses" .

### Previous Glitches and Frustrations

This isn't the first time Companies House systems have caused frustration. In August 2025, business owners reported "Kafkaesque problems" with the new GOV.UK One Login verification system . Users experienced:

- Digital codes failing to appear

- An "infinite loop" of login screens

- The system failing to recognize documents as evidence

- Multiple log-ins required to complete a single task

Officials admitted that "essential security features" could affect the process and conceded that One Login did not meet all cybersecurity standards . Tom Maddocks, head of Media Training Associates, told The Mail on Sunday he was pausing his verification "until they've sorted out all the wrinkles" .

### The March 2 Delays

Just days before the major glitch, Companies House experienced another service disruption. On March 2, 2026, users reported delays in issuing personal codes for new and existing users looking to register companies or issue confirmation filings . The issue was resolved within hours, but it added to the sense of a system under strain.

---

## Part 5: The American Angle – Why This Matters to U.S. Businesses

### Global Supply Chains

American businesses that work with UK companies—as suppliers, customers, or partners—have a direct stake in this incident. If a UK partner's corporate records have been compromised, the consequences can ripple across the Atlantic.

Consider a U.S. manufacturer that relies on a UK-based supplier. If that supplier's bank accounts are taken over by fraudsters, payments from the U.S. company could be redirected. If the supplier's legal existence is compromised, contracts could become unenforceable. If the supplier's reputation is damaged by fraudulent filings, the relationship may be irreparably harmed.

### Investment Exposure

American investment funds hold billions of dollars in UK companies. Pension funds own shares in FTSE 100 companies. Venture capital firms have stakes in UK startups. If any of those companies have been victims of corporate identity fraud, the value of those investments could be affected.

For private companies, the risk is even greater. Without the public scrutiny that comes with stock exchange listing, fraud can go undetected for years—until it's too late.

### The Precedent Problem

Perhaps most significantly, this incident establishes a precedent. If a sophisticated registry like Companies House can be compromised by a simple back-button glitch, what does that say about the security of corporate registries elsewhere? Every country maintains its own version of Companies House. Every one of them is vulnerable to similar flaws.

For American businesses operating internationally, this is a wake-up call. The integrity of corporate records can no longer be taken for granted.

---

## Part 6: The Action Plan – What Business Owners Must Do Now

### Immediate Steps

Dan Neidle's advice was simple and urgent: "Anyone who owns a company should check its Companies House details right now" .

For UK-based directors, this means:

| **Action** | **Why It Matters** |

| :--- | :--- |

| Log into your Companies House account | Verify that you can still access it |

| Review all company details | Check registered address, directors, and PSCs |

| Examine recent filings | Look for any unauthorized submissions |

| Check for address changes | Ensure mail isn't being diverted |

| Monitor bank accounts and credit | Watch for unusual activity |

For American businesses with UK subsidiaries or partners, the same vigilance applies. Request confirmation from your UK counterparts that their records remain intact.

### The Deadline Calendar

For UK directors facing mandatory ID verification, the clock is ticking. By mid-November 2026, verification must be complete. Those who delay risk being locked out of their own companies .

Key dates to remember:

- **Now**: Check your Companies House details for unauthorized changes

- **Before filing next accounts**: Complete ID verification via GOV.UK One Login

- **November 2026**: Deadline for all directors and PSCs to be verified

### The Documentation Strategy

In the event of missed filing deadlines due to system outages, documentation is your best defense. Companies House has explicitly stated that screenshots of error messages, with time and date stamps, will be accepted as evidence if you cannot file on time .

Keep records of:

- Any error messages encountered

- Dates and times of attempted access

- Correspondence with Companies House

- Confirmation of any filings submitted

### The Fraud Monitoring Imperative

For the foreseeable future, enhanced fraud monitoring is essential. This includes:

- Daily review of bank account activity

- Credit monitoring for all directors

- Regular checks of Companies House records

- Alerts for any changes to registered information

- Verification of any unexpected loan applications

---

## Part 7: The American Investor's and Director's Playbook

### For Investors in UK Companies

If you hold investments in UK-based companies—whether public or private—take these steps:

| **Investor Action** | **Rationale** |

| :--- | :--- |

| Contact portfolio companies | Ask about their Companies House security review |

| Request confirmation of record integrity | Verify no unauthorized changes occurred |

| Monitor for unusual filings | Public companies' filings are publicly accessible |

| Review investment agreements | Ensure they address fraud scenarios |

| Consider enhanced due diligence | For future UK investments |

### For U.S. Directors of UK Companies

If you serve as a director of a UK subsidiary or joint venture, your personal data may have been exposed. Take immediate action:

1. Check your own credit reports for unauthorized activity

2. Monitor your personal email for phishing attempts

3. Verify your Companies House listing is accurate

4. Complete your ID verification as soon as possible

5. Consider credit monitoring services

### For U.S. Businesses with UK Operations

The parent company of a UK subsidiary has significant exposure. A compromised subsidiary can affect the entire corporate group.

- Review all UK subsidiary records

- Confirm bank account details with financial institutions

- Verify all authorized signatories

- Implement dual approval for any changes to corporate records

- Consider a forensic review of recent filings

### For American Companies Considering UK Expansion

The Companies House glitch should not deter expansion, but it should inform your approach. When establishing a UK presence:

- Register through a reputable corporate service provider

- Monitor your Companies House records monthly

- Use a registered office service to ensure mail security

- Complete ID verification promptly

- Maintain separate bank accounts with strict access controls

---

### FREQUENTLY ASKED QUESTIONS (FAQs)

**Q1: What exactly happened at Companies House?**

A: On March 12, 2026, Companies House suspended its online filing service after discovering a glitch that allowed users to access and edit other companies' data by pressing the "back" button on their browser. The vulnerability potentially exposed personal information of directors—including home addresses, email addresses, and dates of birth—for more than five million companies .

**Q2: Who discovered the glitch?**

A: Dan Neidle, founder of Tax Policy Associates, was alerted to the issue by John Hewitt at Ghost Mail and reported it to Companies House .

**Q3: How long was the glitch active?**

A: It's unclear. Neidle noted that if the vulnerability existed for only 36 hours, the damage may be limited. If it existed for a month or longer, the potential for fraud is "very serious." Companies House has not disclosed the duration .

**Q4: Could someone have changed my company's details without me knowing?**

A: Yes. The glitch potentially allowed users to change registered addresses, upload fraudulent accounts, delete records, and even alter director information. This is why immediate verification of your company's records is essential .

**Q5: What should I do if I miss a filing deadline because of the outage?**

A: Companies House has stated that if you miss a deadline due to service unavailability, you should file as soon as possible once the service is restored. Take screenshots of any error messages, note the time and date, and Companies House will take this evidence into account .

**Q6: Is this related to the new ID verification requirements?**

A: The glitch is separate from the new ID verification requirements under the Economic Crime and Corporate Transparency Act, but both reflect the strain on Companies House systems during a period of major transition .

**Q7: How does this affect American businesses?**

A: U.S. companies with UK subsidiaries, partners, suppliers, or investments may be indirectly affected if their UK counterparts' records were compromised. This could lead to fraud, contract disputes, or financial losses .

**Q8: What's the single biggest takeaway from this incident?**

A: Corporate records are more vulnerable than most business owners realize. A simple browser glitch exposed millions of companies to potential fraud. Immediate verification of your company's records is not just good practice—it's essential protection.

---

## Conclusion: The Fragile Foundation of Trust

On March 12, 2026, the foundation of trust upon which the UK's entire corporate system rests was revealed to be shockingly fragile. A glitch that required no hacking skills, no sophisticated malware, no insider access—just a back button—exposed the personal data of directors from more than five million companies to potential fraud and exploitation.

The numbers tell the story of a system that failed:

- **5 million+** – The number of companies potentially exposed

- **36 hours to 1 month+** – The unknown duration of the vulnerability

- **15 days** – The average time for a vulnerability to be exploited

- **2 years** – The maximum sentence for unauthorized access

- **5 years** – The sentence if access is for fraud

- **7 million** – The number of directors who must complete ID verification by November 2026

For UK directors, the message is urgent: check your records now. Verify that your company still belongs to you. Monitor your credit, your bank accounts, and your mail for signs of foul play. And complete your ID verification before the deadline locks you out of your own business.

For American businesses with UK connections, the warning is clear: trust but verify. The integrity of your UK partners can no longer be assumed. Due diligence must now include active monitoring of corporate records.

For everyone who relies on the integrity of corporate registries—which is to say, everyone who does business—this is a moment of reckoning. If a system as fundamental as Companies House can be compromised by a back button, what other vulnerabilities lie waiting to be discovered?

The age of assuming corporate records are secure is over. The age of **constant vigilance** has begun.