[chrisjj]

Only technically possible, so not so bad. /i

And more weasel words at:

The issue could only have been exploited by a logged-in user performing a specific set of actions.

At this stage, we have no confirmed reports of any data having been accessed or changed without permission, and we believe the issue could not have been used to extract data in large volumes.

[sarusso]

The "specific set of actions" is so vague that could range from just opening a specific company page and clicking on a button to performing a complex chain of steps.

This said, it's not that bad, that's true. But the idea of having the personal residential address exposed is not great either.

[chrisjj]

That vagueness is clearly designed to disguise the truth, being "going to his own company's dashboard and trying to view another which he didn't own and pressing the back key four times" https://www.bbc.co.uk/news/articles/c5y41p0dy1wo

As for the the personal residential address exposure, it is a huge breach. This website keeps certain Directors' private info private for very good reason. I look forward to the regulators, ICO, imposing an appropriately huge fine.

And just love the "if we find evidence that anyone has accessed or changed another company’s details without authorisation, we will take firm action." Firm action internally, right? Right?