Skip to content
Tech News
← Back to articles

UK Visa Portal exposed thousands of applicants’ passports and selfies — then called the lawyers on us

2026-05-27 | original
read original get Passport Scanner and Organizer → more articles
Why This Matters

The UK Visa Portal's security lapse exposed thousands of sensitive applicant documents, highlighting the risks of inadequate data protection by private companies handling government-related services. This incident underscores the importance of robust cybersecurity measures and transparency in safeguarding personal information, especially as online identity verification becomes more prevalent. For consumers, it serves as a reminder to verify the legitimacy of visa services and be cautious about sharing sensitive data online.

Key Takeaways

A website called UK Visa Portal publicly exposed thousands of passports and selfie photos of applicants who paid the site to obtain a U.K. immigration visa, TechCrunch has learned.

An anonymous person notified TechCrunch about the security lapse, saying that the website was exposing at least 100,000 documents from people who uploaded their passports and selfies to the website as part of the application process.

The website is not affiliated with the U.K. government, and some have complained that they mistakenly paid a fee to this company instead of using the official GOV.UK website.

The exposed data was secured overnight into Wednesday, hours after we published our initial story about the incident. Given the highly sensitive nature of the exposed data, TechCrunch revealed that there was an ongoing security issue, while withholding specific details to minimize any additional risk to individuals’ private information.

TechCrunch has still not heard back from UK Visa Portal’s management. Rather than fixing the issue when we reached out, the company sent its attorneys and public relations firm our way instead.

The security lapse is the latest example of companies publicly exposing their customers’ sensitive government-issued identity documents in recent weeks, often caused by a misconfiguration rather than an outside cyberattack. The exposure of passports is especially problematic at a time when online identity checks are on the rise around the world, thanks to governments rolling out age verification laws.

The company’s lack of response also leaves open questions about whether it will alert affected customers that their passports were publicly exposed, or notify regulators as required under U.S. state and European data breach notification laws.

Exposed passports, selfies, and location data

The data spill stemmed from a public Amazon-hosted storage server (also known as a bucket), which UK Visa Portal uses for hosting user-uploaded passports and selfies.

While the bucket was not publicly listing its contents, the files within were still accessible and viewable to anyone who knew the web address of each file. The person who notified us about the exposure said a bug on the UK Visa Portal website’s backend allowed them to view the list of files contained in the bucket.

... continue reading

Explore topics: uk visa portal passports gov.uk data breach cybersecurity
Related:
Cybersecurity Evolution: How We Went From Perimeter Defense to AI-Native Security
A Krispy Kreme data breach may qualify thousands of Americans for payouts over $3,000
Can you enforce strong Active Directory password rules without frustrating users?
UK Visa Portal spilled thousands of applicants’ passports and selfies online — and hasn’t fixed the leak
Microsoft Issues Out-of-Band SharePoint Patch

© 2026 GoKawiil

About | Editorial Policy | Contact