UK Visa Portal exposed thousands of applicants’ passports and selfies — then called the lawyers on us

A website called UK Visa Portal publically exposed thousands of passports and selfie photos of applicants who paid the tract to get a U.K. migration visa, TechCrunch has learned.

An anonymous idiosyncratic notified TechCrunch astir the information lapse, saying that the website was exposing astatine slightest 100,000 documents from radical who uploaded their passports and selfies to the website arsenic portion of the exertion process.

The website is not affiliated with the U.K. government, and some person complained that they mistakenly paid a interest to this institution alternatively of using the authoritative GOV.UK website.

The exposed information was secured overnight into Wednesday, hours aft we published our archetypal communicative astir the incident. Given the highly delicate quality of the exposed data, TechCrunch revealed that determination was an ongoing information issue, portion withholding circumstantial details to minimize immoderate further hazard to individuals’ backstage information.

TechCrunch has inactive not heard backmost from UK Visa Portal’s management. Rather than fixing the contented erstwhile we reached out, the institution sent its attorneys and nationalist relations steadfast our mode instead.

The information lapse is the latest illustration of companies publically exposing their customers’ delicate government-issued individuality documents successful caller weeks, often caused by a misconfiguration alternatively than an extracurricular cyberattack. The vulnerability of passports is particularly problematic astatine a clip erstwhile online individuality checks are connected the emergence astir the world, acknowledgment to governments rolling retired property verification laws.

The company’s deficiency of effect besides leaves unfastened questions astir whether it volition alert affected customers that their passports were publically exposed, oregon notify regulators arsenic required nether U.S. authorities and European information breach notification laws.

Exposed passports, selfies, and determination data

The information spill stemmed from a nationalist Amazon-hosted retention server (also known arsenic a bucket), which UK Visa Portal uses for hosting user-uploaded passports and selfies.

While the bucket was not publically listing its contents, the files wrong were inactive accessible and viewable to anyone who knew the web code of each file. The idiosyncratic who notified america astir the vulnerability said a bug connected the UK Visa Portal website’s backend allowed them to presumption the database of files contained successful the bucket.

TechCrunch confirmed that UK Visa Portal (also known arsenic UK Visit and ETA-Pass) was the root of the information leak and verified the authenticity of the exposed information by contacting affected individuals to inquire if their accusation was accurate.

Many of the user-uploaded photos besides contained the precise real-world location, revealing wherever the images were taken; successful immoderate cases, this determination information was close capable to exposure the representation taker’s location address.

UK Visa Portal does not supply a mode to study information issues done its website, nor does its website supply names oregon interaction accusation for the company’s management. TechCrunch sent an email to the email code listed connected UK Visa Portal’s website, alerting them that the institution had an ongoing information lapse, and asking with whom successful absorption we could stock details to resoluteness the issue. TechCrunch explained that we could not stock specifics with the company’s wide lawsuit enactment inbox due to the fact that we could not warrant that the exposed information would not beryllium misused.

The lawsuit enactment idiosyncratic provided TechCrunch with the sanction and email code of Michael Taylor, who we were told is simply a manager astatine UK Visa Portal. The idiosyncratic did not reply to our inquiry.

Soon after, attorneys with U.S. instrumentality steadfast BakerHostetler and representatives with nationalist relations steadfast FTI Consulting contacted TechCrunch seeking accusation astir the contented astatine UK Visa Portal. When asked by TechCrunch, the attorneys would not supply grounds that they were authorized to talk connected behalf of the company, specified arsenic by providing america a nationalist grounds confirming the sanction and relation of the individuals they assertion to represent. We noted again that we could not stock accusation astir the information lapse extracurricular of the company’s management. 

We added that if Taylor, oregon different manager, is consenting to judge accusation astir the information lapse, they tin scope retired — oregon the attorneys tin transcript them connected the email thread. We did not perceive back.

After our communicative was published and the bucket secured, TechCrunch presented the attorneys with a bid of questions astir the information lapse. The questions we asked BakerHostetler spouse Ryan Christian included however agelong the Amazon-hosted bucket was exposed, the crushed it was exposed, and if the institution had immoderate logs to find if anyone accessed oregon downloaded the exposed data. We besides asked who astatine UK Visa Portal is liable for cybersecurity, if anyone. Christian did not respond. 

UK Visa Portal is allegedly tally by a institution called Active Leadgen LLC, which purports to beryllium a institution based successful the United Arab Emirates. TechCrunch could not independently corroborate this.

It is not indispensable to usage a third-party work to use for a U.K. physics question authorization, unless you are retaining an migration attorney, and applicants should apply done the U.K. government’s website.

First published connected May 26, and updated with further accusation astir the information lapse.