Business Registry Director Data Leaked — Yet the Government Is Still Building a National Digital ID

Britain’s Business Registry Left Director Data Wide Open — Yet the Government Is Still Building a National Digital ID

The system that just leaked directors’ home addresses through a back button is also the one the UK government plans to store biometric data in.

CINDY HARPER

Companies House in the UK briefly turned its own corporate register into a self-service fraud toolkit. A vulnerability in the dashboard of the UK’s official business registry let anyone access other companies’ private records by pressing the back button, no hacking required.

Directors’ home addresses, email addresses, and dates of birth were all sitting there, readable and editable by anyone who knew where to look.

Companies House is the government body where every limited company must register to legally exist. It holds the official record of who runs Britain’s businesses, including the personal details of every director. When you incorporate a company in the UK, your information goes into this register. There is no opt-out.

The timing is what makes this even more interesting. Since November 2025, all directors in the UK have been legally required to verify their identity through GOV.UK One Login to act in their roles, feeding passport scans, biometric data, and government credentials into the same Companies House infrastructure.

That’s the system whose dashboard just handed out private director records to anyone pressing the back button.

Dan Neidle, founder of Tax Policy Associates, flagged the issue to Companies House on Friday. He was blunt about what the flaw made possible. “People could get enough data about a company and its directors to potentially commit fraud, to pretend to be it,” he told the Press Association. The risk wasn’t just passive exposure. Someone with access could update a company’s registered address to their own, intercepting official correspondence and documents. “If you could file accounts,” Neidle added, “you could do all kinds of damage.”

Screenshot of a tweet by Dan Neidle describing a Companies House website vulnerability, showing a browser window with a Companies House identity verification notice and company page for "TAX POLICY ASSOCIATES LTD."

Home addresses and dates of birth are the building blocks of identity fraud. Directors registered this information with Companies House under legal obligation, trusting that the government body safeguarding it had secured it properly. That trust had a back button.

Neidle noted the window of exposure matters enormously. “If it was only there for 36 hours, then maybe it’s fine,” he said. “But if it was there for a month or more, it’s very serious.” He pointed to an uncomfortable benchmark: “Security researchers say 15 days is the average time it takes for a vulnerability to be exploited, and this was a particularly easy vulnerability with no hacking required.”

Most data breaches require technical sophistication. This one required a browser.

Companies House shut down the WebFiling service on Friday evening. A spokesperson said: “We are aware of an issue with our WebFiling service and have closed it while we investigate. We apologise for any inconvenience to our customers.” The agency told affected businesses to file as soon as the service returns, document any error messages with timestamps, and wait for their evidence to be reviewed against missed deadlines.

Companies House has said that the vulnerability has existed since October 2025 but has not said how many records were accessed, or whether anyone exploited it before Neidle’s report.

This is the system the UK government wants to scale up nationally.

Prime Minister Keir Starmer announced a digital ID scheme in September 2025, planning to introduce it by the end of the parliamentary term in 2029. The government is developing two related services: GOV.UK One Login, a unified account system replacing over 190 separate government logins, and a GOV.UK Wallet app for storing government-issued documents like driving licences.

Biometric data. Passport scans. Facial recognition. All centralized. All linked. All managed by the same government infrastructure that just exposed director records through a back button.

Over time, the digital ID system is expected to serve as a single access point for government services, including benefits, tax records, and official interactions, potentially eliminating the need for physical documents or multiple logins. The convenience pitch is familiar. So is what gets sacrificed for it.

The GOV.UK One Login system sitting at the core of this expansion, already has a documented security record. Security tests revealed the system allows bad actors to gain access without detection, and it scored only 21 out of 39 in its Cyber Assessment Framework tests.

An internal exercise found the system may already have been compromised without detection and potentially contain malware, core work was outsourced overseas, including to Romania, individuals who raised alarms about data and process failures were allegedly silenced, and the system even lost its official trust framework certification.

The government’s response has been to keep spending. The project has been compared to “Post Office Horizon all over again,” a reference to the UK’s most notorious recent IT scandal, in which a flawed computer system sent dozens of innocent postal workers to prison.

The government is not learning from its mistakes.


This article (Britain’s Business Registry Left Director Data Wide Open — Yet the Government Is Still Building a National Digital ID) was created and published by Reclaim the Net and is republished here under “Fair Use” with attribution to the author Cindy Harper

••••

The Liberty Beacon Project is now expanding at a near exponential rate, and for this we are grateful and excited! But we must also be practical. For 7 years we have not asked for any donations, and have built this project with our own funds as we grew. We are now experiencing ever increasing growing pains due to the large number of websites and projects we represent. So we have just installed donation buttons on our websites and ask that you consider this when you visit them. Nothing is too small. We thank you for all your support and your considerations … (TLB)

••••

Comment Policy: As a privately owned web site, we reserve the right to remove comments that contain spam, advertising, vulgarity, threats of violence, racism, or personal/abusive attacks on other users. This also applies to trolling, the use of more than one alias, or just intentional mischief. Enforcement of this policy is at the discretion of this websites administrators. Repeat offenders may be blocked or permanently banned without prior warning.

••••

Disclaimer: TLB websites contain copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to our readers under the provisions of “fair use” in an effort to advance a better understanding of political, health, economic and social issues. The material on this site is distributed without profit to those who have expressed a prior interest in receiving it for research and educational purposes. If you wish to use copyrighted material for purposes other than “fair use” you must request permission from the copyright owner.

••••

Disclaimer: The information and opinions shared are for informational purposes only including, but not limited to, text, graphics, images and other material are not intended as medical advice or instruction. Nothing mentioned is intended to be a substitute for professional medical advice, diagnosis or treatment.

Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy or position of The Liberty Beacon Project.

Be the first to comment

Leave a Reply

Your email address will not be published.


*