Fake “visa portal” stored users' passports without protection for years / Collage of Channel 24
An online service for applying for British visas has been at the center of a scandal after a large-scale leak of personal data, which exposed passport photos and selfies of people who used the platform to submit documents.
The incident was reported by TechCrunch. Journalists found that the UK Visa Portal website was publicly providing access to the documents of users who uploaded their passports and photos to apply for a British immigration visa or electronic entry permit.
According to an anonymous informant, at least 100,000 documents may have been leaked online. TechCrunch verified the authenticity of the data – journalists contacted several victims, and they confirmed that their documents really belong to them.
The leaked materials included passport photos, selfies and other data commonly used to verify identity during visa applications. Such leaks are particularly dangerous due to the risk of identity theft, financial fraud and the use of documents in social engineering schemes.
The site is not affiliated with the UK government.
The UK Visa Portal is not affiliated with the government, but despite this, some users mistakenly paid money to the service, thinking that they were contacting the official government platform GOV.UK.
Such intermediary services operate in a “gray area” – they offer assistance with filling out applications but often do not explain clearly enough that they do not represent the state. As a result, users may pay additional fees for services that are actually available directly through government websites.
In the case of UK Visa Portal, the problem turned out to be much more serious – the company actually left confidential documents without proper protection.
The company did not respond to journalists' warnings.
The journalists attempted to notify the company of the issue before the story was published, but the site did not have a dedicated mechanism for reporting cybersecurity issues or contact information for data protection officers.
The authors of the article contacted the support email address listed on the website, but received letters in response not from the service's management, but from the company's lawyers and PR representatives. The publication explained that due to the sensitivity of the data, it cannot transmit details via the support email box, as there is no guarantee that the information will not be used by attackers.
TechCrunch requested direct contact with the company’s management, but did not receive a response. The issue remained unresolved at the time of publication.
Why are such leaks particularly dangerous?
Passport and biometric photo leaks are among the most dangerous types of personal data compromise. Unlike a password, a passport cannot be easily replaced with a single click, and photos of documents are often used to open bank accounts, cryptocurrency accounts, or to verify on various services.
A particular threat is that attackers can combine such data with other information sources, allowing them to create convincing fraud schemes or fake digital identities.
In recent years, cyber experts have repeatedly warned about the rise of intermediary services that collect excessive amounts of personal data without sufficient protection. The popularity of e-visas and digital travel permits has only increased the number of such platforms.