blindthoughts
breaking · By

UK Visa Portal Exposed Thousands of Passports and Selfies — and Hasn't Fixed It

What Happened

A third-party UK visa application portal has been leaking the passport scans, selfies, and location data of thousands of applicants — and as of publication, the leak remains unpatched. When TechCrunch approached the company about the exposure, the response was not a hotfix or a public disclosure — it was lawyers.

The exposed data includes government-issued identity documents (full passport scans), biometric selfies submitted as part of identity verification, and geolocation data tied to individual applicants. These are exactly the categories of data used for identity theft, synthetic fraud, and social engineering attacks at scale.

Why It Matters

This isn't a breach of credit card numbers or email addresses — it's a breach of the raw inputs used to prove you are you. Passport numbers and biometric photos are non-revocable. You can rotate a password; you cannot rotate your face or your passport number without significant government paperwork.

The attack surface here is severe:

The company's decision to respond with legal threats rather than remediation is a significant red flag. It suggests the exposure may still be live and that affected individuals have no way to know their data was accessed.

What to Do

If you or someone you know submitted documents to a UK visa portal recently:

  1. Assume your passport data is compromised. Contact your bank and any financial institution where you've completed KYC and flag that your identity documents may have been exposed.
  2. Monitor for fraudulent account openings. Services like CIFAS protective registration (UK) can flag your file so lenders apply extra scrutiny before extending credit in your name.
  3. Watch for impersonation attempts. Alert colleagues and family — spear-phishing using your photo and document details is a realistic follow-on attack.
  4. If you are a developer or operator running document verification flows: audit your object storage and API endpoints now. Unauthenticated access to S3-style buckets or misconfigured presigned URLs are the most common root cause of leaks like this. Ensure no document URLs are guessable or publicly listable.
  5. Report to the ICO. UK applicants have rights under UK GDPR. The Information Commissioner's Office (ico.org.uk) accepts breach complaints and can compel disclosure and remediation.

The fact that this portal responded to responsible disclosure with legal pressure — rather than patching — means external regulatory or journalistic pressure may be the only lever that forces a fix. Share this story if you know people who used third-party UK visa services.

Share:𝕏inr/HN🦋@
Was this useful?