The third-party site UK Visa Portal publicly exposed thousands of passport images and selfie photos uploaded by applicants, a security lapse that TechCrunch says affected at least 100,000 documents before the data was secured. TechCrunch verified the leak, contacted affected individuals, and said the exposed files included location metadata precise enough in some cases to reveal home addresses.
Discovery And Notification
An anonymous tipster alerted TechCrunch to the exposure and provided details that prompted verification efforts. TechCrunch confirmed the site (also operating as UK Visit and ETA‑Pass) was the source of the leak and withheld specific sensitive details while reporting to avoid further risk.
Scope Of The Exposure
Files were stored on an Amazon-hosted storage bucket that was not listing contents publicly but allowed access to anyone with a direct file URL. A backend bug on UK Visa Portal reportedly exposed the list of file addresses, enabling access to passports and selfies.
Company Response
TechCrunch said UK Visa Portal did not respond to direct outreach and instead directed inquiries to attorneys and a PR firm after initial contact. The law firm involved, BakerHostetler, did not provide written authorization showing they represented the company, and its partner did not answer TechCrunch’s follow-up questions about the exposure.
Communication Attempts
TechCrunch emailed the site’s listed contact and was given the name and email of “Michael Taylor,” identified by a customer‑support representative as a manager; TechCrunch received no reply. Reporters requested managerial contact or evidence of authorized representation so they could share sensitive remediation details, but received no substantive response before the bucket was secured.
Data Sensitivity And Risks
The leaked files included government‑issued identity documents and photos; many images retained embedded location metadata. TechCrunch highlighted that exposed passports are especially sensitive given the rising use of online identity checks and regulatory requirements for breach notifications under U.S. state and European law.
Remediation And Verification
TechCrunch reported the bucket was secured overnight on Wednesday, hours after the initial story was published. The publication verified exposed records by contacting affected individuals to confirm the data’s authenticity.
Company Structure And Legitimacy
UK Visa Portal is not affiliated with the U.K. government, and some users said they mistakenly paid the site instead of using the official GOV.UK portal. TechCrunch noted the site is allegedly run by Active Leadgen LLC, purportedly based in the United Arab Emirates, a claim TechCrunch could not independently verify.
Regulatory And User Guidance
TechCrunch raised questions about whether UK Visa Portal will notify affected customers or regulators as required by data‑breach notification laws. The report reminded applicants that using third‑party services is not necessary for U.K. electronic travel authorization unless they are hiring an immigration attorney, and directed users to apply via the official GOV.UK website.
Featured image credits: Lynx Global
For more stories like it, click the +Follow button at the top of this page to follow us.