Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
TechCrunch has learned that a website called the UK Visa Portal has publicly exposed thousands of passports and personal photos of applicants who paid the site for a UK immigrant visa.
An anonymous person reported the vulnerability to TechCrunch, saying the site was exposing at least 100,000 documents from people who uploaded their passports and personal photos to the site as part of the application process.
The site is not affiliated with the UK government, and some He owns He complained That they mistakenly paid fees to this company instead Using the official website GOV.UK.
The exposed data was secured overnight Wednesday, hours after our initial story on the incident was published. Due to the highly sensitive nature of the data exposed, TechCrunch revealed that there is an ongoing security issue, with specific details being withheld to reduce any additional risks to individuals’ private information.
TechCrunch has not yet received any response from the UK Visa Portal administration. Instead of fixing the issue when we contacted them, the company sent their attorney and their PR firm to us instead.
The vulnerability is the latest example of companies publicly exposing sensitive government-issued identity documents to their customers in recent weeks, often due to a configuration error rather than an external cyberattack. Passport disclosure is a particular problem at a time when online identity verification is on the rise around the world, thanks to… Governments are introducing age verification laws.
The company’s lack of response also leaves open questions about whether it will alert affected customers that their passports have been publicly disclosed, or notify regulators as required under US and European data breach notification laws.
Exposed passports, personal photos, and location data
The data leak originated from a public storage server hosted by Amazon (also known as Aquarius), which is used by the UK Visa Portal to host user-uploaded passports and personal photos.
Although the collection was not publicly listing its contents, the files within were still accessible and viewable to anyone who knew the web address for each file. The person who reported the exposure to us said there was a bug in the backend of the UK Visa Portal website that allowed him to view the list of files in the collection.
TechCrunch confirmed this UK visa portal (Also known as Visit the United Kingdom and ETA-Pass) was the source of the data leak and the veracity of the exposed data was verified by contacting the affected individuals to ask if their information was accurate.
Many user-uploaded photos also contain the exact real-world location, revealing where the photos were taken; In some cases, this location data was accurate enough to reveal the home address of the photo taker.
The UK Visa Portal does not provide a way to report security issues through its website, nor does its website provide names or contact information for company management. TechCrunch sent an email to the email address listed on the UK Visa Portal website, alerting them that the company has an ongoing security vulnerability, and asking who in management we could share details to resolve the issue. TechCrunch explained that we cannot share details with the company’s general customer support inbox because we cannot guarantee that the exposed data will not be misused.
A customer support representative provided TechCrunch with the name and email address of Michael Taylor, who we’re told is a manager at the UK Visa Portal. The person did not respond to our inquiry.
Shortly after, lawyers from US law firm BakerHostetler and representatives from public relations firm FTI Consulting contacted TechCrunch for information about the issue with the UK Visa Portal. When asked by TechCrunch, the lawyers did not provide evidence that they were authorized to speak on behalf of the company, such as providing us with a public record confirming the name and role of the individuals they claim to represent. We once again note that we cannot share information about the vulnerability outside of company management.
We added that if Taylor, or any other manager, was willing to accept information about the vulnerability, they could contact us — or the lawyers could copy it into the email thread. We didn’t hear back.
After publishing our story and securing the container, TechCrunch provided the lawyers with a series of questions about the vulnerability. The questions we asked BakerHostetler partner Ryan Christian included how long the Amazon-hosted container was exposed, why it was exposed, and whether the company had any logs to determine if anyone accessed or downloaded the exposed data. We also asked who, if anyone, at the UK Visa Portal is responsible for cybersecurity. Christian didn’t answer.
The UK visa portal is allegedly run by a company called Active Leadgen LLC, which claims to be a company based in the UAE. TechCrunch could not independently confirm this.
It is not necessary to use a third party service to apply for an electronic travel authorization in the UK, unless you retain an immigration solicitor, and applicants must: Apply through the UK government website.
It was first published on May 26, and has been updated with additional information about the vulnerability.
When you make a purchase through the links in our articles, We may earn a small commission. This does not affect our editorial independence.
