A broken access control flaw in the UK Companies House WebFiling service exposed private records for approximately five million registered companies for five months, from October 2025 through March 2026. Any authenticated user could access or modify records belonging to other companies using only a valid login and a target company’s registration number. Exposed data included home addresses, dates of birth, and email addresses of company officers and directors, information that directly enables identity fraud, targeted phishing, and social engineering against UK business leadership.