- Third-party UK Visa Portal website exposed 100,000 docs in an unsecured cloud repository
- Cybercriminals with access to the affected PII could conduct identity theft or fraud
- Victims advised to protect and monitor accounts, and await notification
UK Visa Portal, a third-party website separate from the official government offering, has reportedly left thousands of highly sensitive documents exposed in a major data leak.
Affected documents and details include passports, photos, verification selfies and other application information, leaving victims widely open to identity theft and potential financial fraud.
The issue happened as a result of documents being stored on an unsecured server without password protection, meaning anyone with a direct link could access and view them.
UK Visa Portal applications exposed
The data exposure was caused specifically by a misconfigured cloud storage repository that was entirely public – but worse than that, it’s also been revealed that the file directory structure allowed used a predictable URL, meaning attackers could easily guess or work out the link even if they didn’t have it in the first place.
Most evidently, primary passport pages exposing full names, passport numbers, nationalities, dates of birth, places of birth, and issue and expiry dates were included in the leak, but accompanying documents providing home addresses, contact numbers, email addresses and more provided attackers with even more PII.
TechCrunch reports at least 100,000 documents were available without restrictions, and as of May 26 2026, the issue had still not been addressed.
Many victims likely accessed the third-party website erroneously, believing this was the correct way to obtain an Electronic Travel Authorization – a process that the UK government offers in-house for a £20 fee.
Individuals who may have used the platform are being advised to monitor and protect their credit accounts and to secure online accounts with additional layers like multi-factor authentication and passkeys. Data protection laws also legally require affected individuals to be notified – it’s unclear if contact has already been made.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
You must be logged in to post a comment Login