The UK government’s Companies House WebFiling service suffered a broken access control breach (no CVE assigned, CVSS 7.5) exposing private records of approximately 5 million registered companies from October 2025 through March 2026. Director residential addresses, dates of birth, and email addresses were exposed; the patch has been applied by Companies House. Organizations with entities registered at Companies House, particularly those with directors whose residential addresses are held in WebFiling, should audit filings from the exposure window for unauthorized changes and treat exposed director PII as compromised for downstream phishing and social engineering risk assessment.