A website called the UK Visa Portal has publicly exposed thousands of passports and selfies of applicants who paid the site to obtain UK immigrant visas, according to TechCrunch.
An anonymous person tipped off TechCrunch about the security breach, saying the site exposed at least 100,000 documents from people who uploaded their passports and selfies to the site as part of the application process.
The site is not affiliated with the UK government and some have he complained that they mistakenly paid a fee to this company instead of using the official GOV.UK website.
The exposed data was secured Wednesday night, hours after we published our original story about the incident. Given the highly sensitive nature of the exposed data, TechCrunch disclosed that there was an ongoing security issue, while withholding specific details to minimize any additional risks to people’s personal information.
TechCrunch has yet to hear from UK Visa Portal management. Instead of resolving the issue when we contacted, the company sent their lawyers and PR company.
The security breach is the latest example of companies publicly disclosing their customers’ sensitive government-issued identity documents in recent weeks, often caused by misconfiguration rather than an external cyber attack. The passport exposure is particularly problematic at a time when online identity checks are on the rise around the world, thanks to governments enforcing age verification laws.
The company’s lack of response also leaves open questions about whether it will notify affected customers that their passports were publicly exposed or notify regulators, as required by state and European data breach notification laws.
Exposed passports, selfies and location data
The data leak came from a public Amazon-hosted storage server (also known as a bucket) that the UK Visa Portal uses to host passports and selfies uploaded by users.
While the bin did not publicly list its contents, the files inside were still accessible and visible to anyone who knew the web address of each file. The person who informed us of the report said that a bug in the backend of the UK Visa Portal website allowed them to see the list of files contained in the bin.
TechCrunch confirmed it UK Visa Portal (aka Visiting the United Kingdom and ETA-Pass) was the source of the data leak and verified the authenticity of the exposed data by contacting affected individuals to ask if their information was accurate.
Many of the photos uploaded by users also included the exact real-world location, revealing where the images were taken. In some cases, this location data was accurate enough to reveal the home address of the image recipient.
The UK Visa Portal does not provide a way to report security issues through its website, nor does its website provide names or contact details for company management. TechCrunch sent an email to the email address listed on the UK Visa Portal website, notifying them that the company had an ongoing lack of security and asking who in management we could share details on how to resolve the issue. TechCrunch explained that we could not share details with the company’s general customer support inbox because we could not guarantee that the exposed data would not be misused.
The customer support person provided TechCrunch with the name and email address of Michael Taylor, who we’re told is a manager at the UK Visa Portal. The person did not respond to our question.
Soon after, lawyers from US law firm BakerHostetler and representatives from public relations firm FTI Consulting contacted TechCrunch seeking information about the issue on the UK Visa Portal. When asked by TechCrunch, the lawyers did not provide evidence that they were authorized to speak on behalf of the company, such as providing us with a public record confirming the name and role of the individuals they claim to represent. We noted again that we could not share information about the security bug outside of company management.
We added that if Taylor, or another director, is willing to accept information about the security breach, they can be contacted — or attorneys can copy it to the email thread. We didn’t hear back.
After publishing our story and securing the bucket, TechCrunch presented lawyers with a series of questions about the security breach. Questions we asked BakerHostetler partner Ryan Christian included how long the Amazon-hosted bucket was exposed, why it was exposed, and whether the company had logs to determine if anyone accessed or downloaded the exposed data. We also asked who at the UK Visa Portal is responsible for cyber security, if any. Christian didn’t answer.
The UK Visa Portal is allegedly run by a company called Active Leadgen LLC, which is said to be a company based in the United Arab Emirates. TechCrunch could not independently confirm this.
It is not necessary to use a third party service to apply for an online UK Travel Authorization unless you have an immigration lawyer and applicants should apply through the UK Government website.
It was first published on May 26 and has been updated with additional information about the security flaw.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
