· 6 min read ·

When Public Records Become an Attack Surface: The Companies House Address Vulnerability

Source: lobsters

A recently disclosed vulnerability in Companies House, the UK’s official registrar of companies, allowed attackers to manipulate director address records in ways that could facilitate full company hijacking. This is not simply a bug. It is a symptom of how the registry was architected decades ago, and how difficult it has been to retrofit meaningful security onto a system that was never designed with adversarial conditions in mind.

What Companies House Actually Is

Companies House operates as a notice-filing registry. The distinction matters enormously. In a verification registry, the registrar checks claims before accepting them. In a notice-filing registry, the registrar records what it is told and treats filings as presumptively true. The UK chose notice-filing because it is cheap to run, fast, and imposes minimal friction on legitimate business formation.

The tradeoff is that the system’s integrity depends entirely on the good faith of filers, combined with the assumption that fraud will be caught after the fact. That assumption has aged poorly.

Anyone with a Companies House account and the right form number can file changes to an existing company. The core filing forms that matter here are:

  • AP01: Appointment of a director
  • TM01: Termination of a director
  • CH01: Change of director’s details (including service address)
  • AD01: Change of registered office address

Filing any of these requires no cryptographic proof of identity, no multi-factor authentication tied to the company, and no confirmation from existing directors. An email address and a £13 filing fee are enough to interact with the live register for many filing types.

The Address Problem

Directors of UK companies have two relevant addresses: a residential address (which is supposed to be kept private) and a service address (which is public and where official correspondence is sent). The distinction was introduced under the Companies Act 2006 precisely because residential address disclosure was creating safety risks for directors.

The suppression system works, when it works. But the vulnerability disclosed in the taxpolicy.org.uk article exposes something subtler: the process for changing a director’s service address lacked adequate verification. An attacker who could redirect a director’s service address could redirect the notifications Companies House sends about subsequent filings. Once correspondence is flowing to an address the attacker controls, the attacker can proceed with further changes, including appointing themselves as a director or changing the registered office, while the legitimate director remains unaware.

This is the classic attack chain: change the notification address first, then escalate from there. The same pattern appears in email account takeover (change the recovery address before doing anything else), in phone number porting fraud (port the number to intercept 2FA), and here, in company registry fraud.

The Companies House WebFiling portal has historically accepted address changes without requiring any out-of-band confirmation to the existing recorded address. There was no equivalent of a “we sent a PIN to your old address, enter it here” step. The filing was processed immediately.

What the 2023 Act Was Supposed to Fix

The Economic Crime and Corporate Transparency Act 2023 received Royal Assent in October 2023 and represented the most significant reform to Companies House in decades. The headline changes included mandatory identity verification for directors and persons with significant control, new powers for the Registrar to query and reject suspicious filings, and requirements that registered office addresses be “appropriate” (meaning a real place where documents can actually be delivered and acknowledged).

The identity verification provisions are being phased in. Existing directors were given a transition period to verify their identities, and new companies registering from the implementation date need to verify on formation. Verification is handled either directly through Companies House or via an Authorised Corporate Service Provider (an ACSP, typically an accountant or company formation agent).

The verification mechanism uses document checks, not biometric verification or government database lookups in real time. It is more robust than what existed before, but it is not immune to fraud with good quality documents.

Critically, the verification system addresses identity at formation and appointment. The address-change vulnerability described in this disclosure operates in the modification flow, after a company already exists. The 2023 Act’s reforms are stronger at the front door than at the windows.

How Company Hijacking Unfolds in Practice

The mechanics of a hijack follow a recognizable pattern. An attacker identifies a target company, typically a dormant company with a clean credit history, an inactive company whose directors are not monitoring their CH records, or a company belonging to a sole director who is unlikely to have automated monitoring in place.

The attacker files a CH01 to change the director’s service address to one they control. Companies House processes this. Any subsequent Companies House correspondence about that director goes to the new address. The attacker then files further changes: adding themselves as a director (AP01), changing the registered office (AD01), and eventually removing the original director (TM01).

At this point, the attacker controls a company on the register. They can present Companies House records as proof of legitimacy to open bank accounts, enter contracts, apply for credit, or conduct further fraud. The Companies House register is admissible as prima facie evidence of the matters recorded in it. That gives a hijacked company real legal weight.

The original director may discover the hijack weeks or months later, when they receive correspondence at their residential address (which may or may not have been changed), when they notice credit inquiries, or when a third party flags the anomaly. The remediation process, filing a RP02A (restoration) or using the Companies House fraud reporting service, is slow and places the burden on the victim.

Comparison to Other Registries

The UK is not unique in running a notice-filing registry, but other jurisdictions have layered in different mitigations. Delaware, which hosts more than 60% of Fortune 500 companies, also operates on a notice-filing model, but the practical barrier to filing changes is higher because most Delaware companies use registered agents who have their own verification processes before submitting filings on a client’s behalf.

Ireland’s Companies Registration Office introduced verified filing through digital certificates for certain filing types, linking submissions cryptographically to an identified person. New Zealand’s Companies Office sends real-time email alerts to all recorded directors when any change is filed against their company, creating a lightweight detection mechanism even without prevention.

The common thread in more resilient registries is out-of-band notification: telling someone who should know about a change through a channel the attacker cannot easily intercept before the change takes effect, or at minimum the moment it takes effect.

What a Secure Design Looks Like

The architecture of a secure company registry does not need to be dramatically complex. A few changes would have significant impact:

Mandatory confirmation for address changes. When a director’s service address is changed, send a confirmation to the existing service address and require acknowledgment before the change is processed, or at minimum before it affects correspondence routing. Many banks already do this for contact detail changes.

Real-time alerts to all directors. When any filing is accepted against a company, all recorded directors receive an immediate notification. This does not prevent the filing, but it collapses the window in which an attacker can escalate before detection. New Zealand’s model works here.

Signing-key model for high-risk filings. Director appointments, removals, and registered office changes could require a cryptographic signature from an existing verified director, not just an account login. This is the model used for domain registrar transfers and for changes to DNS nameservers at some registrars: the change requires authorization from the current holder, not just from whoever initiated the request.

Rate limiting and anomaly detection. A company that goes from one director to three directors in 48 hours while also changing its registered office warrants review before the filings are fully processed. This is standard practice in financial services for account changes but largely absent from company registry systems.

The Wider Picture

Company registries are identity infrastructure. When they are compromised, the damage propagates through every downstream system that trusts them: credit bureaus, banks, courts, and counterparties who rely on public records as a foundation of trust.

The Companies House vulnerability is worth understanding not as an isolated filing system flaw but as a case study in what happens when public records systems are built for administrative convenience and then gradually acquire security-critical status without a corresponding investment in security architecture. The register started as a notice board. It became a trust anchor. Those are very different things, and the gap between them is exactly the space that attackers exploit.

The 2023 Act is a meaningful step, but identity verification at formation is not the same as integrity protection across the full lifecycle of a company’s existence. The address-change attack works precisely because modification flows received less attention than registration flows. Securing the front door while leaving the windows unlatched is not a complete security posture.

Was this interesting?