Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
A website called the UK Visa Portal has publicly exposed thousands of passports and selfies of people who paid the site to get a visa to immigrate to the UK, TechCrunch has learned.
An anonymous person informed TechCrunch about the security breach, saying the site exposed at least 100,000 documents from people who uploaded their passports and selfies to the site as part of the project.
This site is not affiliated with the UK government, and others to be he complained that he wrongly paid this company instead using the official GOV.UK website.
The revelations were secured on Wednesday night, hours after we published our first story about the incident. In light of the issues that were revealed, TechCrunch revealed that there was no security breach, while hiding information to minimize any risk to people’s privacy.
TechCrunch has not yet heard from the management of the UK Visa Portal. Instead of fixing the problem when we arrived, the company sent their lawyers and a public relations company on our behalf.
The security breach is the latest example of companies exposing their customers’ personal data to the government in recent weeks, often the result of a botched switch rather than a cyber attack. The presentation of passports is becoming increasingly difficult at a time when online checks are increasing worldwide, due to governments are implementing age verification laws.
The company’s lack of response also leaves open questions as to whether it will warn affected customers that their passports have been exposed, or notify regulators as required under US and European data breach laws.
Displayed passports, selfies, and location data
The data loss comes from a server hosted by Amazon (also known as bucket), which the UK Visa Portal uses to host passports filled with users and selfies.
Although the container did not publicly list its contents, the files inside were still accessible and viewable by anyone who knew the address of each file. The person who informed us of the leak said a bug in the backend of the UK Visa Portal allowed them to see a list of files in the bin.
TechCrunch has confirmed this UK Visa Portal (also called UK tour and ETA-Pass) was the source of the data leak and verified the authenticity of the disclosed data by contacting the affected individuals and asking them if their information was correct.
Many of the photos taken by users also had a specific location, indicating where the photos were taken; in some cases, this location data was accurate enough to show the photographer’s home address.
The UK Visa Portal does not provide a security reporting system through its website, nor does its website provide the names or contact information of the company’s management. TechCrunch sent an email to the address on the website of the UK Visa Portal, warning them that the company has a security problem and asking who in the administration we can share information to solve the problem. TechCrunch explained that we cannot share information with the company’s customer support box because we cannot guarantee that the information disclosed will not be misused.
A customer service representative gave TechCrunch the name and email address of Michael Taylor, who we’re told is a manager at the UK Visa Portal. The person did not answer our question.
Shortly thereafter, lawyers from the United States law firm BakerHostetler and representatives of the FTI Consulting company contacted TechCrunch to find out more about the UK Visa Portal. When asked by TechCrunch, the lawyers did not provide evidence that they were authorized to speak on behalf of the company, such as providing us with public records to confirm the name and position of the people they claim to represent. We also realized that we cannot share information about security breaches outside of company management.
We added that if Taylor, or another manager, is willing to accept more security clearance information, they can reach out — or lawyers can take it to the email thread. We haven’t heard anything.
After our article was published and protected, TechCrunch presented the lawyers with several questions about the lapse of protection. The questions we asked BakerHostetler partner Ryan Christian included how long the Amazon-hosted container was exposed, why it was exposed, and whether the company had logs to verify if someone accessed or downloaded the exposed data. We also asked who at the UK Visa Portal is responsible for cybersecurity, if anyone. Christian didn’t answer.
The UK Visa Portal is said to be operated by a company called Active Leadgen LLC, which claims to be a company based in the United Arab Emirates. TechCrunch could not independently verify this.
It is not necessary to use a third party to apply for a UK visa electronically, unless you retain an immigration lawyer, and applicants must use the UK government website.
First published on May 26 and updated with additional information about the security breach.
When you purchase through links in our articles, we can get a little work. This does not affect our right to repair.