‘UK Visa Portal’ Compromises 100,000 Applicant Passports and Biometric Data
Published
Key Takeaways
- Critical Data Compromise: UK Visa Portal reportedly exposed at least 100,000 sensitive applicant records.
- Independent Third-Party Entity: The platform operates externally from the official GOV.UK infrastructure.
- Persistent Vulnerability: Management has allegedly failed to implement remediation protocols; the security breach remains active.
A third-party domain, UK Visa Portal, has publicly exposed PII, including applicants' passports and biometric identifiers (selfies), of those using the platform for U.K. immigration visa processing. An anonymous reporter said the unofficial website exposed at least 100,000 sensitive documents.
Non-Statutory Service and Applicant Misidentification
TechCrunch conducted a forensic verification of the leak, confirming the authenticity of the compromised data via direct outreach to affected individuals. While exact details of the exposure were not disclosed in order to protect impacted users, the inquiry verified the accuracy of the exposed records.
UK Visa Portal maintains no formal affiliation with the U.K. government. Despite its independent status, some applicants complained they remitted processing fees to this private entity under the mistaken belief they were on the official GOV.UK website.
To ensure data integrity and security, applicants must use official government infrastructure to obtain travel authorizations.
Critical Security Vulnerability and Failed Remediation
The UK Visa Portal reportedly lacks a standardized vulnerability disclosure policy or reporting mechanism. Furthermore, the report says the entity lacks organizational transparency, with no listed executive management or security contacts.
TechCrunch initiated contact via the provided electronic communication channels but received responses only from legal counsel and a public relations firm.
Despite requests to coordinate a secure disclosure of the data breach particulars to leadership, no further engagement occurred. Consequently, the critical security vulnerability remains unpatched, resulting in an ongoing compromise of applicant data.
In other news, a report last week claimed that a CISA contractor exposed AWS GovCloud keys in a public GitHub repository. In late April, a ClickUp hardcoded API key exposed almost 1,000 customer emails, including those of government and corporate giants.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular