Thought Leadership
A visa facilitation service handling UK entry applications has exposed sensitive user data, including passports and selfies, on an openly accessible server, according to a report by TechCrunch.
The publication was alerted via an anonymous tip claiming that at least 100,000 uploaded documents had been left exposed. The files reportedly belong to applicants who submitted passport scans and selfie images as part of their UK entry authorization process.
Importantly, the company in question has no official connection to the UK government. Some users told TechCrunch they mistakenly paid the service believing they were using the official GOV.UK platform. In reality, applicants can apply directly through the UK government without any intermediary, unless they choose to work with an immigration lawyer.
Open cloud storage with no access protection
The incident was not the result of an external cyberattack but rather a misconfigured Amazon cloud storage bucket used by the company to store user uploads. While the bucket did not publicly list its contents, individual files could still be accessed if their exact URLs were known. The source of the leak was reportedly able to reconstruct parts of the file index through a backend vulnerability.
TechCrunch verified the authenticity of the data by contacting affected individuals. The platform behind the leak operates under multiple names, including UK Visa Portal, UK Visit, and ETA-Pass.
A particularly sensitive aspect of the exposed dataset is the presence of location metadata embedded in many images. In some cases, this data was detailed enough to infer users’ home addresses.
First came the lawyers, then silence
The exposed storage was secured during the night following the initial reporting. TechCrunch had withheld technical details initially to avoid further risk to affected users.
Notably, the company provides no dedicated security contact channel, nor does it list responsible personnel on its website. A general support inquiry eventually produced the name and email address of a manager, but no response was received.
Instead, a U.S.-based law firm and a PR agency contacted the publication seeking details of the investigation. However, neither party was able to provide proof of authorization to represent the company. TechCrunch maintained its policy of sharing sensitive details only with verified executives.
A follow-up list of questions—covering the duration of the exposure, logging practices, security ownership, and the root cause—went unanswered by the legal representatives.
Ownership remains unclear
The service is reportedly operated by a company called Active Leadgen LLC, allegedly based in the United Arab Emirates, though this could not be independently confirmed.
It also remains unclear whether affected users will be notified or whether relevant regulatory authorities will be informed, as required under both U.S. and European data protection laws.
