diff --git a/app/Http/Controllers/V1/Admin/Customer/CustomersController.php b/app/Http/Controllers/V1/Admin/Customer/CustomersController.php
index d0a73186..3dbe5846 100644
--- a/app/Http/Controllers/V1/Admin/Customer/CustomersController.php
+++ b/app/Http/Controllers/V1/Admin/Customer/CustomersController.php
@@ -92,7 +92,11 @@ class CustomersController extends Controller
     {
         $this->authorize('delete multiple customers');
 
-        Customer::deleteCustomers($request->ids);
+        $ids = Customer::whereCompany()
+            ->whereIn('id', $request->ids)
+            ->pluck('id');
+
+        Customer::deleteCustomers($ids);
 
         return response()->json([
             'success' => true,
diff --git a/tests/Feature/Admin/CustomerTest.php b/tests/Feature/Admin/CustomerTest.php
index f9bfe2ef..731a4e34 100644
--- a/tests/Feature/Admin/CustomerTest.php
+++ b/tests/Feature/Admin/CustomerTest.php
@@ -181,3 +181,17 @@ test('cannot update customer from another company', function () {
     ])->assertForbidden();
 });
 
+test('cannot bulk delete customer from another company', function () {
+    $otherCompany = Company::factory()->create();
+    $otherCustomer = Customer::factory()->create([
+        'company_id' => $otherCompany->id,
+    ]);
+
+    postJson('api/v1/customers/delete', [
+        'ids' => [$otherCustomer->id],
+    ])->assertOk();
+
+    $this->assertDatabaseHas('customers', [
+        'id' => $otherCustomer->id,
+    ]);
+});