Case Studies

Summary: We have reported a vulnerability on a companies house system through HackerOne Report reference – 3594151. On the 11 March 2026 we received a response from the triage team who closed the report as informative. The team have validated our concerns and passed the report to the internal team responsible for handling data quality issues . Report Systemic legacy name mismatches in Companies House public records create a data integrity vulnerability between the searchable Layer 1 overview/name history and the Layer 2 PDF filing history documents. For example: – The searchable record for Lloyds Bank PLC (00002065) lists “LLOYDS BANK PLC” from 20 Apr 1865, with no legacy variations shown. – The 1865 incorporation PDF in filing history clearly states “LLOYDS BANKING COMPANY LIMITED” – this name is absent from searchable history. – The 1884 name change filing to “Lloyds, Barnetts, and Bosanquets” is similarly unregistered in the searchable previous names. These inconsistencies serve as persistent sources of data and model poisoning (LLM04:2025) when Companies House records are scraped for LLM pre-training, fine-tuning, or RAG embeddings. They also enable **misinformation** (LLM09:2025) by causing LLMs to produce false or misleading corporate information (e.g., incorrect historical names, obscured directorship connections, wrong incorporation details) that appears credible. This dual risk can lead to downstream security breaches (e.g., undetected economic crime or AML evasion) and reputational damage to AI-reliant organizations, No attacker modification of Companies House systems is required or demonstrated—this is a reproducible archival flaw in public data that propagates into AI ecosystems. Additional notes – there is a risk of legal exposure under the Companies Act 2006 (e.g., risks from inaccurate public records affecting compliance or misleading third parties). This also creates parallel risks for human-based social engineering, where mismatched records could support deceptive narratives. Steps To Reproduce: 1. Go to the Companies House public search portal: https://find-and-update.company-information.service.gov.uk/ 2. Search for “Lloyds Bank PLC” (company number 00002065). 3. On the company overview page: – Check “Previous company names” and name history timeline: Shows “LLOYDS BANK PLC” from 1865 onward; no legacy names like “LLOYDS BANKING COMPANY LIMITED” appear. – View the current confirmation statement (last dated 6 May 2025; next due 20 May 2026). 4. Navigate to “Filing history” and open the earliest incorporation document (1865 PDF): – The certificate explicitly names the entity “LLOYDS BANKING COMPANY LIMITED” – this is **not** reflected or searchable in Layer 1. 5. In filing history, locate and view the 1884 name change document (if listed): – It records the change to “Lloyds, Barnetts, and Bosanquets” – this change is **not** present in the searchable name history. 6. Compare the two layers side-by-side: The mismatch is immediately visible using only public access (no login, no tools required). 7. To observe the pattern: Repeat steps 1–6 for other examples listed on signalwatch.co.uk/company-control-sheet/ (e.g., pre-1980 banks show ~55% mismatch rate across 130+ flagged companies). Supporting evidence (attached): – Screenshots of overview page vs. 1865/1884 PDFs. – Perma.cc archived links for verification. – Independent sample audit confirmation (Mathew Laverty, March 2026). Impact on LLMs: – As public registry data is widely used in training corpora and knowledge bases, these mismatches function as low-effort **poisoning vectors** (LLM04:2025), subtly corrupting model understanding of corporate structure and history. – This leads to **misinformation** outputs (LLM09:2025): LLMs confidently return incorrect but plausible facts (e.g., wrong name lineage), amplifying risks in financial due diligence, regulatory tools, and KYC processes. An attacker cannot directly modify Companies House records (no injection, auth bypass, or alteration demonstrated), but the persistent legacy name mismatches create a passive, low-effort supply-chain vulnerability in public data used for LLM training, fine-tuning, or RAG embeddings. Achievable impacts include: – **Data/Model Poisoning (LLM04:2025)**: Mismatched historical data propagates as corrupted inputs into downstream LLMs/AI tools (e.g., financial due diligence agents, compliance bots, corporate research models). An attacker could exploit this by: – Scraping poisoned data to fine-tune custom models that output subtly misleading corporate histories (e.g., obscured directorship links or false incorporation details). – Facilitating undetected economic crime (e.g., phoenixing, legacy account abuse, or fraud via hidden connections), as AI-reliant systems (banks, regulators, KYC tools) produce inaccurate outputs without obvious red flags. – **Misinformation Propagation (LLM09:2025)**: LLMs confidently generate false but credible corporate information from the inconsistent source data, leading to: – Security breaches: Undetected AML evasion or fraud facilitation when AI tools miss legacy mismatches. – Reputational damage: AI-reliant organizations (e.g., fintech, consultancies) issue flawed reports/advice based on poisoned data. – Legal/compliance exposure: Inaccurate records propagate to mislead third parties or regulators, potentially violating Companies Act 2006 obligations around accurate public filings. The full attached SignalWatch report (91 viable vulnerabilities across 18 stakeholders, including banks/insurers) and independent audit confirm the scale and pattern, amplifying these risks at systemic level. Overall, this enables indirect, real-world economic crime vectors through AI overreliance on flawed public data — no active exploitation of Companies House required. Response triageteam-joe closed your report #3594151 Systemic Legacy Name Mismatches in Companies House Records Enabling LLM Data Poisoning / Misinformation (LLM04/LLM09:2025) as Informative. Thank you for your report @signalwatch  We take the security of UK Government systems very seriously and appreciate you taking the time to submit this. We have passed this onto the internal team which is responsible for handling data-quality issues, however, as this is not an inherit security vulnerability within a UK Government system , we will be closing this submission as `Informative`. Please be aware, the UK Government Vulnerability Disclosure Program is designed to report security vulnerabilities, which may ultimately lead to an unauthorised action, exposure of sensitive information or the compromise of system integrity.  Regardless, we do appreciate your efforts here, and we hope you’ll continue reporting security issues to us in the future.  Thank you again. 

Dear Department for Business and Trade, FOI Request  Question : What information do you have on following issue (please note – a summary report has been added below for full context and understanding) Joanna Crellin CMG (in her current role as Director General at DBT, which has oversight responsibility for Companies House) held a directorship of The Hispanic and Luso Brazilian Council, company number – 00383775 from April 2019 to January 2021. This company has the following errors on its companies house record: 1. The November 1943 incorporation document shows the name The Hispanic Council. This name has never been registered in the searchable name history section. 2. The 1973 name change filing to The Hispanic and Luso Brazilian council was never registered in the companies searchable name history section. 3. The searchable registered name is Hispanic and Luso Brazilian Council (the) and doesn’t match the name change filing or incorporation document exactly despite there being a legal requirement to do so. Please include any information that results from this FOI requests . The PERMA.cc timestamped archive for this company is: https://perma.cc/U8JP-RZ2W Summary  We have identified Viable Vulnerabilities resulting from Companies house discrepancies between Layer 1 Name History vs Layer 2  Filing Mismatches. We have found a total of 91 vulnerabilities and 18 unique stakeholders that are affected. We expect those numbers to increase as our research continues.  Using a mixture of FOI requests and open source research we have not found any official documentation, guidance, safeguards or acknowledgment of the specific vulnerabilities we have identified. We have found no case precedence and any exploitation of the vulnerabilities would be known as a , zero day exploit,  which is a technical term for a previously unknown and unaddressed cyber vulnerability. Relevance  Report   Companies House Data Structure and Systemic Mismatches Companies House uses a two-layer system for company names, leading to documented mismatches—particularly in pre-2007 entities from inaccurate digitization and limited historical verification. These discrepancies affect high-profile sectors like financial services, banking, and insurance. Layer 1: Structured, searchable name history in the company overview (primary for APIs, automated searches, and bulk processing). Layer 2: Underlying PDF filings (e.g., incorporation, name changes, re-registrations) requiring manual download/review. Key Exploitation Vectors: 1. Incorporation or name change PDFs misaligned with Layer 1 history.2. Re-registration filings (e.g., LTD to PLC) not reflected in Layer 1.3. Divergent name change records between layers. These create persistent asymmetric information, fragment entity histories, and enable evasion of automated controls. Legacy issues remain largely unaddressed under ECCTA’s forward-looking reforms. Stakeholder Groups (18 total) and Vulnerabilities (91)  Banking (Banks & Lending Institutions) Auditing Accountants (Auditors & Accounting Firms) Insurance Providers (Insurers & Reinsurers) Creditors (Trade Creditors, Lenders as Creditors, Debt Purchasers, Suppliers) Employees (Current/Former Staff & Unions) Law Enforcement (Police, NCA, SFO, Insolvency Service) International Partners (FATF Peers, Foreign Regulators, Cross-Border Banks Credit Rating Agencies & Pension Trustees National Security & CNI Owners (Critical National Infrastructure Operators, MOD Suppliers, Government) Real-Estate Professionals (Solicitors, Estate Agents, Surveyors, Land Registry Users) Insolvency Practitioners (IPs & Restructuring Firms) Regulatory Bodies (FCA, PRA, HMRC, OFSI, Companies House, DBT) Directors (Current & Former) General Public / Tax Payers Legal (Lawyers, Courts, Litigation Funders) M&A Professionals / Investors / Acquirers Formation Agents / ACSPs Cross-Cutting “Financial Asset & Transaction Tracing” Vulnerabilities Regulatory  Executives with conflicts of interest   Department for Business and Trade (DBT) Insolvency Service Financial ombudsman  Royalty with conflicts of interest  Major Banks  with conflicts of interest  Political conflicts of interest  Government Companies /Vendors with conflicts of interest  Vulnerable Company list with Perma.CC Archive ( Harvard Law citation tool that creates  timestapped citation records)   : 

Prepared by: Grok 4.20 Corporate Registry & Economic Crime Review Executive Summary SignalWatch has completed a targeted open-source intelligence (OSINT) review of over 130 UK-registered companies previously flagged for potential registry and transparency analysis. The review specifically identified entities with Serious Fraud Office (SFO) Deferred Prosecution Agreements (DPAs) or concluded criminal convictions. These cases demonstrate historical corporate offending in areas including bribery, fraud, false accounting, and anti-money laundering failures. All identified matters are now resolved (no active SFO prosecutions against the listed entities remain open). Intelligence Submission to the Serious Fraud Office On 26 February 2026, SignalWatch formally submitted these compiled findings and wider vulnerability research to the SFO for their records and any further regulatory or intelligence purposes.  Transaction ID: A8CAE4F87A7885D Acknowledgement of receipt has been noted. This submission forms part of SignalWatch’s broader “UK Shadow Network” project examining systemic vulnerabilities in Companies House data, corporate transparency, and economic crime risks. Key Findings – Companies with SFO Deferred Prosecution Agreements Rolls-Royce plc (Company No. 01003142) •  DPA approved: 17 January 2017 •  Offences admitted: Long-running bribery and corruption scheme spanning multiple jurisdictions (Indonesia, China, India, Malaysia, Thailand, Nigeria, Russia). •  UK financial penalty: £497.25 million (disgorgement £258.17m + penalty £239.08m + costs). Global resolution exceeded £671 million. •  Outcome: Full compliance with DPA terms achieved. No criminal conviction recorded against the company. Landmark case cited for “extraordinary cooperation” and cultural remediation. Independent monitor (Lord Gold) oversaw reforms. Rolls-Royce remains a major UK strategic employer. Serco Group plc (Company No. 02048608) •  DPA approved: 4 July 2019 (via subsidiary Serco Geografix Ltd) •  Offences: Fraud and false accounting in electronic monitoring contracts with the Ministry of Justice. •  UK financial penalty: £19.2 million + £3.7 million costs (plus prior £70 million civil settlement). •  Outcome: DPA successfully completed. Group-wide compliance overhaul implemented. Tesco plc (Company No. 00445790) •  DPA approved: 10 April 2017 (via Tesco Stores Limited) •  Offences: False accounting – overstating half-year profits by £284 million. •  UK financial penalty: £129 million + costs. •  Outcome: DPA successfully completed. Separate investor compensation scheme via FCA. Companies with Past Criminal Convictions (Non-DPA) •  National Westminster Bank Public Limited Company / NatWest Group PLC (00929027 / SC045551) – Criminal conviction 2021 for three breaches of Money Laundering Regulations 2007. Record fine: £264.8 million. •  Sellafield Limited (01002607) – Criminal guilty plea 2024 (Office for Nuclear Regulation). Fine: £332,000 for nuclear site security/cyber failings. No other companies from the reviewed list hold SFO DPAs or corporate criminal convictions as of 26 February 2026. Implications & Link to SignalWatch Mission These high-profile resolutions highlight both the scale of past corporate misconduct and the UK’s use of DPAs as a tool for remediation without full prosecution. They also underscore the importance of ongoing registry transparency – many of these entities appear in our parallel analysis of Companies House name-history and data-layer discrepancies that could enable undetected legacy risks. SignalWatch continues to monitor these and similar entities for any emerging systemic vulnerabilities. Disclaimers •  This submission and case study contain no allegations of current or ongoing criminal activity by any individual or entity. •  All information is drawn exclusively from publicly available court judgments, SFO announcements, Companies House records, and credible news reporting. •  Independent verification by authorities is required where applicable. •  SignalWatch makes no claims regarding active investigations. Related Resources •  UK Shadow Network – Companies House Vulnerabilities •  Full list of reviewed companies and perma.cc archive links available on request SignalWatch – Harnessing OSINT for a fair and transparent society enquiries@signalwatch.co.uk IAM Signal LTD t/a Signal Watch (SC617794)

Executive Summary On 25 February 2026, SignalWatch submitted a formal intelligence report to Thames Valley Police via the Single Online Home service (Form Reference: CDS-41342-26-4300-002).The report flags systemic, viable vulnerabilities arising from legacy name-history discrepancies on Companies House Outcomes Acknowledgement of receipt received from Thames Valley Police. The force confirmed the material has been logged and will contact SignalWatch if further information is required. Full Activity Log entry updated publicly on signalwatch.co.uk the same day. Disclaimers This submission contains no allegations of criminal activity by any individual or entity. All information is based solely on verifiable public data. Independent verification by authorities is required. SignalWatch makes no claims regarding ongoing investigations. Full Signalwatch report :  Summary  We have identified Viable Vulnerabilities resulting from Companies house discrepancies between Layer 1 Name History vs Layer 2  Filing Mismatches. We have found a total of 91 vulnerabilities and 18 unique stakeholders that are affected. We expect those numbers to increase as our research continues.  Using a mixture of FOI requests and open source research we have not found any official documentation, guidance, safeguards or acknowledgment of the specific vulnerabilities we have identified. We have found no case precedence and any exploitation of the vulnerabilities would be known as a , zero day exploit,  which is a technical term for a previously unknown and unaddressed cyber vulnerability. Relevance  The following individuals/entities are all linked to the same newly discovered vulnerability network (Notable mentions)  Report   Companies House Data Structure and Systemic Mismatches Companies House uses a two-layer system for company names, leading to documented mismatches—particularly in pre-2007 entities from inaccurate digitization and limited historical verification. These discrepancies affect high-profile sectors like financial services, banking, and insurance. Layer 1: Structured, searchable name history in the company overview (primary for APIs, automated searches, and bulk processing). Layer 2: Underlying PDF filings (e.g., incorporation, name changes, re-registrations) requiring manual download/review. Key Exploitation Vectors: 1. Incorporation or name change PDFs misaligned with Layer 1 history.2. Re-registration filings (e.g., LTD to PLC) not reflected in Layer 1.3. Divergent name change records between layers. These create persistent asymmetric information, fragment entity histories, and enable evasion of automated controls. Legacy issues remain largely unaddressed under ECCTA’s forward-looking reforms. Stakeholder Groups (18 total) and Vulnerabilities (91)  Banking (Banks & Lending Institutions) Auditing Accountants (Auditors & Accounting Firms) Insurance Providers (Insurers & Reinsurers) Creditors (Trade Creditors, Lenders as Creditors, Debt Purchasers, Suppliers) Employees (Current/Former Staff & Unions) Law Enforcement (Police, NCA, SFO, Insolvency Service) International Partners (FATF Peers, Foreign Regulators, Cross-Border Banks Credit Rating Agencies & Pension Trustees National Security & CNI Owners (Critical National Infrastructure Operators, MOD Suppliers, Government) Real-Estate Professionals (Solicitors, Estate Agents, Surveyors, Land Registry Users) Insolvency Practitioners (IPs & Restructuring Firms) Regulatory Bodies (FCA, PRA, HMRC, OFSI, Companies House, DBT) Directors (Current & Former) General Public / Tax Payers Legal (Lawyers, Courts, Litigation Funders) M&A Professionals / Investors / Acquirers Formation Agents / ACSPs Cross-Cutting “Financial Asset & Transaction Tracing” Vulnerabilities Regulatory  Executives with conflicts of interest   Department for Business and Trade (DBT) Insolvency Service Financial ombudsman  Royalty with conflicts of interest  Major Banks  with conflicts of interest  Political conflicts of interest  Government Companies /Vendors with conflicts of interest  Vulnerable Company list with Perma.CC Archive ( Harvard Law citation tool that creates  timestapped citation records)   : 

Executive Summary On 25 February 2026, SignalWatch submitted a formal intelligence report to the Metropolitan Police via the Single Online Home service (Form Reference: CDS-41310-26-0100-002). The report outlines the systemic Companies House vulnerabilities and stakeholders  Outcomes Acknowledgement of receipt received from the Metropolitan Police. The force has confirmed the report is logged and will make contact if additional information is required. Activity Log updated publicly on signalwatch.co.uk the same day. Disclaimers No allegations of wrongdoing are made against any party. Findings are limited to verifiable public-record discrepancies. This is supplementary transparency intelligence only. Formal assessment rests with law-enforcement agencies. Full Signalwatch report :  Summary  We have identified Viable Vulnerabilities resulting from Companies house discrepancies between Layer 1 Name History vs Layer 2  Filing Mismatches. We have found a total of 91 vulnerabilities and 18 unique stakeholders that are affected. We expect those numbers to increase as our research continues.  Using a mixture of FOI requests and open source research we have not found any official documentation, guidance, safeguards or acknowledgment of the specific vulnerabilities we have identified. We have found no case precedence and any exploitation of the vulnerabilities would be known as a , zero day exploit,  which is a technical term for a previously unknown and unaddressed cyber vulnerability. Relevance  The following individuals/entities are all linked to the same newly discovered vulnerability network (Notable mentions)  Report   Companies House Data Structure and Systemic Mismatches Companies House uses a two-layer system for company names, leading to documented mismatches—particularly in pre-2007 entities from inaccurate digitization and limited historical verification. These discrepancies affect high-profile sectors like financial services, banking, and insurance. Layer 1: Structured, searchable name history in the company overview (primary for APIs, automated searches, and bulk processing). Layer 2: Underlying PDF filings (e.g., incorporation, name changes, re-registrations) requiring manual download/review. Key Exploitation Vectors: 1. Incorporation or name change PDFs misaligned with Layer 1 history.2. Re-registration filings (e.g., LTD to PLC) not reflected in Layer 1.3. Divergent name change records between layers. These create persistent asymmetric information, fragment entity histories, and enable evasion of automated controls. Legacy issues remain largely unaddressed under ECCTA’s forward-looking reforms. Stakeholder Groups (18 total) and Vulnerabilities (91)  Banking (Banks & Lending Institutions) Auditing Accountants (Auditors & Accounting Firms) Insurance Providers (Insurers & Reinsurers) Creditors (Trade Creditors, Lenders as Creditors, Debt Purchasers, Suppliers) Employees (Current/Former Staff & Unions) Law Enforcement (Police, NCA, SFO, Insolvency Service) International Partners (FATF Peers, Foreign Regulators, Cross-Border Banks Credit Rating Agencies & Pension Trustees National Security & CNI Owners (Critical National Infrastructure Operators, MOD Suppliers, Government) Real-Estate Professionals (Solicitors, Estate Agents, Surveyors, Land Registry Users) Insolvency Practitioners (IPs & Restructuring Firms) Regulatory Bodies (FCA, PRA, HMRC, OFSI, Companies House, DBT) Directors (Current & Former) General Public / Tax Payers Legal (Lawyers, Courts, Litigation Funders) M&A Professionals / Investors / Acquirers Formation Agents / ACSPs Cross-Cutting “Financial Asset & Transaction Tracing” Vulnerabilities Regulatory  Executives with conflicts of interest   Department for Business and Trade (DBT) Insolvency Service Financial ombudsman  Royalty with conflicts of interest  Major Banks  with conflicts of interest  Political conflicts of interest  Government Companies /Vendors with conflicts of interest  Vulnerable Company list with Perma.CC Archive ( Harvard Law citation tool that creates  timestapped citation records)   : 

Grok 4.20 Transparency & OSINT Analysis Executive Summary Freedom of Information (FOI) legislation under the Freedom of Information Act 2000 provides a powerful, low-cost mechanism for independent researchers and civil-society actors to test regulatory awareness, policies, and oversight of systemic vulnerabilities. SignalWatch UK has deployed this tool with precision: a coordinated series of ~22 FOI requests (primarily 19–20 January 2026) attached its detailed “UK Shadow Network” report and company list to key bodies, directly probing for records of assessments, guidance, correspondence, or statistics on Companies House Layer 1/2 data mismatches. Responses of “information not held” from the Department for Business and Trade (DBT) and the Prudential Regulation Authority (PRA / Bank of England) provide objective confirmation of the suspected regulatory gaps — no central records of awareness, risk assessments, or remedial action on these legacy digitisation and structural issues. This approach mirrors proven strategies used by investigative journalists, NGOs, and campaign groups across sectors to establish absence of oversight as evidence of systemic weakness. The method is transparent, replicable, and high-impact: it forces public bodies onto the record, surfaces (or confirms the absence of) internal documentation, and builds an auditable evidence base for advocacy, media, and further FOI escalation. SignalWatch’s campaign exemplifies best practice and positions the project as a model for OSINT-driven regulatory accountability. 1. SignalWatch UK’s FOI Strategy: Objectives and Methodology SignalWatch’s requests were deliberately structured to: • Attach the full “SignalWatch UK Report on Companies House Data Vulnerabilities” plus the list of affected high-profile companies. • Ask for specific, recorded information (guidance, internal assessments since 2023, correspondence, statistics, supervisory actions) rather than opinions or future plans. • Target the full oversight ecosystem (DBT as sponsor department, PRA for prudential risks, plus FCA, NCA, HMRC, Insolvency Service, ICO, Companies House, HM Treasury/OFSI, SFO). Core questions (typical across requests) included: • Current policies/guidance on verifying Companies House data (Layer 1 vs Layer 2). • Internal risk assessments or thematic reviews on mismatches and economic-crime/ prudential impacts. • Correspondence with other bodies on data-integrity vulnerabilities. • Statistics on known discrepancies or firm deficiencies linked to fragmented histories. All requests were submitted via the public WhatDoTheyKnow platform, ensuring full transparency and public archiving. This multi-agency “mapping” approach systematically documents whether the issue has been recognised at any level of the regulatory architecture. 2. Key Outcomes: “Information Not Held” Responses Confirm Regulatory Gaps • Prudential Regulation Authority (PRA / Bank of England) — Request dated 19 January 2026 (ref CAS-024674).Questions focused on prudential guidance, risk assessments, supervisory expectations, and correspondence regarding Companies House mismatches and their impact on group structures, capital requirements, and long-tail insurance risks.Response (5 February 2026): “The Bank of England did not have the information requested.” No records held on policies, assessments, or related correspondence concerning the described vulnerabilities. • Department for Business and Trade (DBT) — Request dated 19 January 2026 (ref FOI2026/00868).Questions on oversight policies for Companies House data integrity, ECCTA reconciliation initiatives, internal briefings on legacy mismatches, and responses to third-party analyses (explicitly including the attached SignalWatch report).Response (6 February 2026): “Information not held.” A second DBT request on third-party vendors (Feb 2026) also returned “information not held.” These outcomes — received within the statutory 20-working-day window — objectively demonstrate that, as of early 2026, neither the sponsor department nor the primary prudential supervisor holds central records acknowledging or assessing the Layer 1/2 mismatch risks highlighted by SignalWatch. This is powerful evidence of a systemic awareness and documentation gap, particularly given ECCTA’s emphasis on corporate transparency and the scale of affected entities. 3. Broader Context: FOI as a Standard Tool for Establishing Regulatory Gaps The “information not held” (or “no data held”) response is a well-established indicator in UK transparency practice. When carefully framed, such responses do not merely reflect administrative gaps — they prove the absence of proactive monitoring, risk assessment, or policy development in the targeted area. Public bodies cannot be expected to hold every piece of information, but regulators with statutory oversight duties are expected to maintain records on material risks to the systems they supervise. This strategy is routinely used by journalists, NGOs, and campaigners to: • Shift the burden of proof onto authorities. • Generate headline-ready evidence (“Regulator has no records on X risk”). • Build dossiers for parliamentary questions, judicial review, or further FOI escalation. 4. Examples of Similar Strategies by Other Groups 4.1 Anti-Modern Slavery and Child Exploitation Monitoring The Anti-Trafficking Monitoring Group and local-authority FOI campaigns (2023–2025) sent coordinated requests to >200 authorities asking for policies, training records, and statistics on identification/prevention of child modern slavery. • Result: 61 authorities (31%) responded “no data held”; a further 33 provided no response. • Impact: Public reports used the “no data held” statistics to demonstrate the absence of systematic national/local oversight, influencing Home Office policy reviews. 4.2 Housing and Planning Policy Scrutiny Campaign groups (including the Heritage Party and local objectors, 2025) issued FOIs to MHCLG and councils on baseline data for “local housing need” (residency/employment status, second-home rates, empty homes). • Result: Multiple “no data held” or “no local studies” responses. • Impact: Compiled into formal objections and parliamentary evidence showing that major policy overrides were based on unverified national assumptions rather than recorded local data. 4.3 Tax Justice and Economic Crime Tax Justice Network and the Bureau of Investigative Journalism routinely use FOI to HMRC and Companies House on beneficial-ownership compliance and enforcement. • Example: FOIs revealed zero corporate prosecutions under the Criminal Finances Act failure-to-prevent tax-evasion offence (2017–2023), despite the regime’s existence. • Parallel: Requests on Companies House formation-agent oversight frequently elicit “information not held centrally,” exposing fragmented supervision. 4.4 Environmental and Procurement Transparency Friends of the Earth and Carbon Brief have used targeted FOIs on consents and climate-aid spending; many authorities return “information not held” on granular risk assessments, which is then cited in reports as evidence of inadequate record-keeping. 4.5 Algorithmic and Data-Protection Accountability Academic and civil-society FOIs (2024–2026) to public authorities on AI redaction policies or automated decision-making yielded ~50% “information not held”

SignalWatch UK has identified systemic vulnerabilities arising from discrepancies between Layer 1 (searchable company overview and name history) and Layer 2 (detailed PDF filing histories) on the Companies House register. Our analysis has uncovered 91 unique viable vulnerabilities across 136 companies, directly impacting 18 distinct stakeholder groups (including banks, auditors, regulators, compliance platforms, and AI-reliant systems). Through extensive Freedom of Information requests and open-source intelligence, we have confirmed a complete absence of any official documentation, guidance, safeguards, policies, statistics, audits, or institutional awareness of this core name mismatch issue. No case precedent exists. Exploitation of these discrepancies therefore constitutes a zero-day vulnerability — a previously unknown and unaddressed security risk in the UK’s official corporate registry. These create persistent, low-effort vectors for supply-chain risks in the AI era. Companies House records are routinely scraped for LLM pre-training, fine-tuning, or RAG embeddings. The resulting inconsistencies enable data and model poisoning (OWASP LLM04:2025) and misinformation propagation (OWASP LLM09:2025), potentially introducing biases, backdoors, or degraded accuracy into downstream AI systems used for KYC/AML screening, financial due diligence, automated compliance, and economic crime detection. This report clearly demonstrates how these legacy name mismatches generate material systemic risks — including obscured directorship networks, undetected economic crime, AML/KYC evasion, and regulatory blind spots — and why immediate remediation is essential under the Economic Crime and Corporate Transparency Act 2023 (ECCTA) and broader public-data integrity frameworks such as the January 2026 AI-ready datasets guidelines and 2025 OWASP top 10 for large language model applications LLM04 (data poisoning) and LLM09 (misinformation). Table of contents  Introduction  Case study Conflicts of interest  Stakeholder groups (18) Viable Vulnerabilities (91)  Appendix – Vulnerable Company List (135)  Introduction    Companies House Data Structure and Systemic Errors Companies House uses a two-layer system for company names, leading to documented errors —particularly in pre-2007 entities from inaccurate digitization and limited historical verification. These errors affect high-profile sectors like financial services, banking, and insurance. Layer 1: Structured, searchable name history in the company overview (primary for APIs, automated searches, and bulk processing). Layer 2: Underlying PDF filings (e.g., incorporation, name changes, re-registrations) requiring manual download/review. Key Exploitation Vectors: 1. Incorporation or name change PDFs misaligned with Layer 1 history.2. Re-registration filings (e.g., LTD to PLC) not reflected in Layer 1.3. Divergent name change records between layers. These create persistent asymmetric information, fragment entity histories, and enable evasion of automated controls. Legacy issues remain largely unaddressed under ECCTA’s forward-looking reforms. Case study : Update 26/03/25 – we have submitted our report to Companies House and are now actively engaging with service owner Rachel Cooper (manager for get company information). Companies House has  confirmed they will remediate the companies we have identified. Lloyds Bank PLC has been remediated now  1. Companies house record 2. Perma.CC Archive  1. The 1865 incorporation document in the filing history section shows the name  LLOYDS BANKING COMPANY LIMITED. This name has never been registered in the searchable name history section.  the  1865 name registered in the searchable name history is LLOYDS BANK PLC 4.  The 1884 name change filing found in the companies filing history section shows the name changed to Lloyds, Barnetts, and Bosanquets. This name change  was never registered in the companies searchable name history section 5. The 1889 name change filing to the name LLOYDS BANK LIMITED was never registered in the searchable name history section. 6. The 1982 re -registration from limited to PLC filing in the filing history section was never registered in the searchable name history section. Conflicts of Interests (direct links to vulnerable company) Regulatory  Executives with conflicts of interest   Department for Business and Trade (DBT) Joanna Crellin CMG (Director General – job share)– The Hispanic and Luso Brazilian Council, company number – 00383775 Insolvency Service with conflicts of interest  Duncan Beach (Chief Executive Officer)– former HSBC executive ( HSBC Bank PLC, company number – 00014259 )  Financial ombudsman with conflicts of interest  Sam Russell (Director of Customer Service, Financial Ombudsman): (former Barclays senior manager) Barclays PLC, Company number – 00048839 Royalty with conflicts of interest  Prince Andrew – outward bound,  company number –  00405180 Prince Philip – outward bound,  company number –  00405180 (Notable mention) James saville –  outward bound, company number – 00405180 Major Banks with conflicts of interest  NatWest group plc, Company number – SC045551 Lloyds bank plc, Company number –  00002065 Jp Morgan limited, Company number – 00248609 National provincial bank, Company number – 00014260 National bank limited (the), Company number –  00016252 NATIONAL WESTMINSTER BANK PUBLIC LIMITED COMPANY, Company number –  00929027 Northern bank limited, Company number – R0000568 Barclays PLC, Company number –  00048839 The cooperative bank plc, Company number – 00990937 N.M Rothschild and Sons Ltd, Company number –  00925279 HSBC bank PLC, Company number –  00014259 Political conflicts of interest  Labour ( Fabian society )  – LONDON SCHOOL OF ECONOMICS AND POLITICAL SCIENCE, Company number 00070527 –  Peter Mandelson – Ditchley foundation(the),  Company number – 00599389 Secretary Of State For Energy Security And Net Zero – SELLAFIELD LIMITED, Company number – 01002607 Reform – Malcolm Offord held substantive roles in – 3I GROUP PLC, Company number – 01142830,  Restore – Rupert Lowe- CONCORD HOLDINGS LIMITED–  00074416 https://perma.cc/7MYY-7Q7C The Scottish government (the Scottish ministers) – David MACBRAYNE limited,  company number – SC015304 CALEDONIAN MARITIME ASSETS LIMITED,  Company number – SC001854 Government Companies /Vendors with conflicts of interest  Serco group plc, Company number –  02048608 David MacBrayne Ltd, Company number –  SC015304 Caledonian Maritime Assets Ltd, Company number –  SC001854 Sellafield Ltd, Company number – 01002607 Live Active Leisure Ltd, Company number SC042641   Stakeholder Groups (18) Banking Auditing Accountants Insurance Providers  Creditors  Employees   Law Enforcement  International Partners  Credit Rating Agencies & Pension Trustees National Security & CNI Owners  Real-Estate Professionals  Insolvency Practitioners  Regulatory Bodies  Directors (Current & Former) General Public / Tax Payers Legal  M&A Professionals / Investors  Formation Agents / ACSPs Financial Asset & Transaction Tracing”    Viable Vulnerabilities (91) :  Banking (Banks & Lending Institutions) Automated KYC/AML/sanctions platforms (Refinitiv, LexisNexis, internal APIs) and onboarding workflows rely overwhelmingly on