RSS

UK Visa Portal exposed applicants' passports and selfies

LordAtlas2 pts0 comments

UK Visa Portal exposed thousands of applicants’ passports and selfies — then called the lawyers on us | TechCrunch

–:–:–:–

The first StrictlyVC of 2026 hits SF on April 30. Tickets are going fast. Register now.

Get Disrupt Early Bird savings of up to $410 by May 29, 11:59 p.m. PT. Register now.

Close

SearchSubmit

Site Search Toggle

Mega Menu Toggle

Topics

Latest

AI

Amazon

Apps

Biotech & Health

Climate

Cloud Computing

Commerce

Crypto

Enterprise

EVs

Fintech

Fundraising

Gadgets

Gaming

Google

Government & Policy

Hardware

Instagram

Layoffs

Media & Entertainment

Meta

Microsoft

Privacy

Robotics

Security

Social

Space

Startups

TikTok

Transportation

Venture

More from TechCrunch

Staff

Events

Startup Battlefield

StrictlyVC

Newsletters

Podcasts

Videos

Partner Content

TechCrunch Brand Studio

Crunchboard

Contact Us

Image Credits: Victor Golmer / Getty Images

Security

UK Visa Portal exposed thousands of applicants’ passports and selfies — then called the lawyers on us

Zack Whittaker

11:25 AM PDT · May 27, 2026

A website called UK Visa Portal publicly exposed thousands of passports and selfie photos of applicants who paid the site to obtain a U.K. immigration visa, TechCrunch has learned.

An anonymous person notified TechCrunch about the security lapse, saying that the website was exposing at least 100,000 documents from people who uploaded their passports and selfies to the website as part of the application process.

The website is not affiliated with the U.K. government, and some have complained that they mistakenly paid a fee to this company instead of using the official GOV.UK website.

The exposed data was secured overnight into Wednesday, hours after we published our initial story about the incident. Given the highly sensitive nature of the exposed data, TechCrunch revealed that there was an ongoing security issue, while withholding specific details to minimize any additional risk to individuals’ private information.

TechCrunch has still not heard back from UK Visa Portal’s management. Rather than fixing the issue when we reached out, the company sent its attorneys and public relations firm our way instead.

The security lapse is the latest example of companies publicly exposing their customers’ sensitive government-issued identity documents in recent weeks, often caused by a misconfiguration rather than an outside cyberattack. The exposure of passports is especially problematic at a time when online identity checks are on the rise around the world, thanks to governments rolling out age verification laws.

The company’s lack of response also leaves open questions about whether it will alert affected customers that their passports were publicly exposed, or notify regulators as required under U.S. state and European data breach notification laws.

Exposed passports, selfies, and location data

The data spill stemmed from a public Amazon-hosted storage server (also known as a bucket), which UK Visa Portal uses for hosting user-uploaded passports and selfies.

While the bucket was not publicly listing its contents, the files within were still accessible and viewable to anyone who knew the web address of each file. The person who notified us about the exposure said a bug on the UK Visa Portal website’s backend allowed them to view the list of files contained in the bucket.

TechCrunch confirmed that UK Visa Portal (also known as UK Visit and ETA-Pass) was the source of the data leak and verified the authenticity of the exposed data by contacting affected individuals to ask if their information was accurate.

Many of the user-uploaded photos also contained the precise real-world location, revealing where the images were taken; in some cases, this location data was accurate enough to expose the image taker’s home address.

UK Visa Portal does not provide a way to report security issues through its website, nor does its website provide names or contact information for the company’s management. TechCrunch sent an email to the email address listed on UK Visa Portal’s website, alerting them that the company had an ongoing security lapse, and asking with whom in management we could share details to resolve the issue. TechCrunch explained that we could not share specifics with the company’s general customer support inbox because we could not guarantee that the exposed data would not be misused.

The customer support person provided TechCrunch with the name and email address of Michael Taylor, who we were told is a manager at UK Visa Portal. The person did not reply to our inquiry.

Soon after, attorneys with U.S. law firm BakerHostetler and representatives with public relations firm FTI Consulting contacted TechCrunch seeking information about the issue at UK Visa Portal. When asked by TechCrunch, the attorneys would not provide evidence that they were authorized to speak on behalf of the company, such as by providing us a public record confirming the name and role of...

visa techcrunch portal exposed passports website

Related Articles

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries

SpaceX not the behemoth everyone thought

kaycebasques13 pts_blockquote instagram data vars text media

The Mirror Is Part of the Machine

london_safari10 ptstelemetry mirror decision logs enough time
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.