Data Leak: Third-Party UK Visa Portal Exposes Passports and Selfies of Thousands of Applicants

A third-party service, UK Visa Portal, unaffiliated with official UK authorities, has leaked confidential data of thousands of visa applicants. Scans of passports and user selfies, uploaded during the document processing, were found in an open Amazon S3 cloud storage bucket. The number of affected files is estimated to exceed 100,000.

The issue arose due to misconfigured cloud storage: although the bucket contents were not publicly indexed, files could be accessed via direct links. An anonymous source reported a backend bug to TechCrunch, allowing the viewing of all uploaded documents. Journalists verified the data by contacting affected individuals.

Of particular concern is that many photos contained metadata with precise geolocation data, including applicants' residential addresses. The service offers no way to report security issues, and attempts to contact management via support were unsuccessful. Instead of addressing the problem promptly, the company turned to lawyers and PR specialists.

UK Visa Portal, allegedly managed by Active Leadgen LLC from the UAE, is not mandatory for British visa applications. Official applications are accepted via the GOV.UK portal, while third-party services may only be used when engaging immigration lawyers. The incident highlights the risks of sharing confidential documents with unverified intermediaries.

The leak occurs amid a rise in cases of compromised government documents due to cloud storage misconfigurations. Such incidents pose threats to online identification systems, especially as identity verification requirements tighten globally.