UK Visa Portal Exposes Thousands of Passport and Selfie Photos in Security Lapse
A third-party website, UK Visa Portal, inadvertently exposed thousands of passports and selfie photos belonging to individuals applying for U.K. immigration visas. The breach, discovered by an anonymous source and reported by TechCrunch, involved at least 100,000 sensitive documents uploaded by applicants as part of their visa process.
The exposed data was stored in an unsecured Amazon-hosted storage bucket, accessible to anyone with the direct file URLs. While the bucket did not publicly list its contents, a backend bug on the UK Visa Portal website allowed unauthorized access to the file directory. Many of the uploaded images also contained precise geolocation data, potentially revealing applicants’ home addresses.
The breach was secured overnight on May 25–26, hours after TechCrunch published its initial report. However, the company allegedly operated by Active Leadgen LLC, a firm claiming ties to the UAE failed to respond directly to the security alert. Instead, its legal team (BakerHostetler) and PR firm (FTI Consulting) contacted TechCrunch, though they provided no verification of their authority to act on the company’s behalf.
TechCrunch verified the authenticity of the exposed data by contacting affected individuals, confirming the leak’s legitimacy. The incident highlights a growing trend of misconfigured cloud storage leading to the exposure of government-issued identity documents, particularly as digital identity checks expand globally.
Notably, UK Visa Portal is not affiliated with the U.K. government, and applicants are advised to use the official GOV.UK website for visa applications unless working with an immigration attorney. The company’s lack of transparency raises concerns about whether it will notify affected individuals or regulators, as required under U.S. state and European data breach laws.
As of publication, UK Visa Portal’s management has not responded to inquiries about the duration of the exposure, the cause of the misconfiguration, or whether logs exist to determine if unauthorized parties accessed the data. The incident underscores the risks of entrusting sensitive documents to unverified third-party services.
UK Visa Portal TPRM report: https://www.rankiteo.com/company/uk-visas-online-ltd
Active Leadgen LLC TPRM report: https://www.rankiteo.com/company/active-communications-international---europe-aci-europe-
"id": "uk-act1779913656",
"linkid": "uk-visas-online-ltd, active-communications-international---europe-aci-europe-",
"type": "Breach",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Thousands of visa applicants',
'industry': 'Immigration Services',
'location': 'UAE (claimed ties)',
'name': 'UK Visa Portal (Active Leadgen LLC)',
'type': 'Third-party visa application service'}],
'attack_vector': 'Misconfigured Cloud Storage',
'data_breach': {'file_types_exposed': ['Images (passport scans, selfies)'],
'number_of_records_exposed': '100,000+',
'personally_identifiable_information': 'Yes (passport '
'details, selfie '
'photos, geolocation '
'data)',
'sensitivity_of_data': 'High (government-issued identity '
'documents, personally identifiable '
'information)',
'type_of_data_compromised': ['Passport images',
'Selfie photos',
'Geolocation data']},
'date_publicly_disclosed': '2024-05-25',
'date_resolved': '2024-05-26',
'description': 'A third-party website, UK Visa Portal, inadvertently exposed '
'thousands of passports and selfie photos belonging to '
'individuals applying for U.K. immigration visas. The breach '
'involved at least 100,000 sensitive documents uploaded by '
'applicants as part of their visa process. The exposed data '
'was stored in an unsecured Amazon-hosted storage bucket, '
'accessible to anyone with the direct file URLs. The breach '
'was secured overnight on May 25–26 after being reported by '
'TechCrunch.',
'impact': {'brand_reputation_impact': 'High',
'data_compromised': 'Passport images, selfie photos, geolocation '
'data',
'identity_theft_risk': 'High',
'legal_liabilities': 'Potential violations under U.S. state and '
'European data breach laws',
'systems_affected': 'UK Visa Portal website, Amazon-hosted storage '
'bucket'},
'investigation_status': 'Ongoing (no response from UK Visa Portal regarding '
'duration of exposure or unauthorized access logs)',
'lessons_learned': 'Risks of misconfigured cloud storage, importance of '
'verifying third-party services for handling sensitive '
'documents, need for transparency in breach notifications',
'post_incident_analysis': {'root_causes': 'Misconfigured Amazon S3 bucket, '
'backend bug allowing unauthorized '
'access to file directory'},
'recommendations': 'Use official government portals for visa applications, '
'ensure cloud storage is properly secured, implement '
'breach notification protocols, verify third-party service '
'providers',
'references': [{'date_accessed': '2024-05-25', 'source': 'TechCrunch'}],
'regulatory_compliance': {'regulations_violated': ['U.S. state data breach '
'laws',
'European data breach laws '
'(GDPR)']},
'response': {'communication_strategy': 'No direct response to security alert; '
'contacted TechCrunch via legal/PR '
'teams',
'containment_measures': 'Secured the unsecured Amazon S3 bucket',
'third_party_assistance': 'Legal team (BakerHostetler), PR firm '
'(FTI Consulting)'},
'stakeholder_advisories': 'Applicants advised to use the official GOV.UK '
'website for visa applications unless working with '
'an immigration attorney',
'title': 'UK Visa Portal Exposes Thousands of Passport and Selfie Photos in '
'Security Lapse',
'type': 'Data Exposure',
'vulnerability_exploited': 'Unsecured Amazon S3 bucket with backend bug '
'allowing unauthorized access to file directory'}