A broken access control flaw in the UK Companies House WebFiling service exposed private dashboard data — including director home addresses, dates of birth, and email addresses — for approximately five million registered UK companies across an exposure window of roughly October 2025 through March 2026, exploitable by any authenticated user via browser back-button navigation with no tooling required. Organizations with UK-registered companies should treat director personal data from this period as compromised, audit WebFiling submissions for unauthorized filings, assess UK GDPR reportability to the ICO, and re-verify any Companies House data used in KYC or onboarding pipelines during the exposure window. Remediation was applied approximately March 2026; this item is sourced from T3 sources only (BleepingComputer, Tax Policy Associates) — verify directly with Companies House for official confirmation and remediation status.