A website posing as a visa assistance service has leaked the passport photographs, selfies, and location data of at least 100,000 applicants, and when journalists came knocking for answers, the company sent in the attorneys.

UK Visa Portal, also known as UK Visit and ETA-Pass, left sensitive applicant data sitting on a publicly accessible Amazon server for an unknown period of time before the breach was reported by TechCrunch on May 26. The flaw was not caused by a sophisticated cyberattack. It was a simple misconfiguration. Anyone who had the direct file URL could view passport photos and selfies submitted by real people seeking UK immigration visas.

What makes this worse is who those people thought they were dealing with. Many applicants paid UK Visa Portal believing they were submitting documents directly to the UK Government through GOV.UK. They were not. The site has no official government affiliation whatsoever. You can complete a UK Electronic Travel Authorisation yourself, for free, through the official government website.

Lawyers Before Answers

TechCrunch first contacted UK Visa Portal on May 24 after being tipped off anonymously about the vulnerability. The publication deliberately avoided sending technical details to a generic customer support inbox, citing the obvious risk that the wrong person could exploit the information further. What came back was not a manager or a cybersecurity contact. Instead, attorneys from US-based law firm BakerHostetler and PR professionals from FTI Consulting reached out, asking TechCrunch to hand over details of the flaw.

When pressed, BakerHostetler attorneys declined to even provide proof they represented UK Visa Portal. TechCrunch repeatedly asked for a named management contact to receive the sensitive disclosure. No one from the company responded directly. Questions about how long the data was exposed, why it was exposed, and whether the company keeps download logs went entirely unanswered.

What Was Actually Leaked

The exposed Amazon-hosted storage bucket contained passport photos and selfies uploaded by applicants. Although the bucket was not publicly listed, files stored inside it were fully accessible to anyone with a direct link. Critically, many of those photo files contained embedded geolocation data revealing exactly where each image was taken, and in some cases pinpointing where the applicant lived.

The data was removed from public access by early Thursday morning, but the damage may already be done.

The Regulatory Problem Nobody Is Talking About

UK Visa Portal has given no indication it intends to notify the thousands of affected applicants that their government-issued identity documents were publicly viewable. Under UK GDPR and applicable data breach notification laws, companies are legally required to inform both regulators and affected individuals of serious data exposures. Silence is not a legal option.

The company provides no named management contacts on its website and offers no mechanism for researchers to report security flaws responsibly. Active Leadgen LLC, the entity believed to be behind UK Visa Portal, claims to operate from the UAE. TechCrunch found no independent evidence to support that claim.

This breach sits within a troubling pattern. Several companies have exposed customers’ passport and ID documents in recent weeks, almost all through basic server misconfigurations rather than targeted attacks. The timing is particularly alarming as governments globally move toward mandatory online age verification laws, creating a surge in ID uploads to third-party platforms.

If you are applying for a UK Electronic Travel Authorisation, use gov.uk. It is free, it is official, and your passport photo will not end up on a public server.

Reporting based on original investigation by TechCrunch, first published May 26, updated with additional disclosures.