100,000 Passports Left Open to Anyone

Your passport scan is sitting in an open folder on the internet right now — and the company responsible hasn't fixed it.

TechCrunch has confirmed that UK Visa Portal, a private immigration service with no affiliation to the British government, has been publicly exposing the passport scans and selfie photos of at least 100,000 applicants. The data was verified by contacting affected individuals directly. The breach, first flagged by an anonymous tipster, is not a historical incident. It is still open.

How People Ended Up Here

The story starts with a search bar. Thousands of people planning to travel to or immigrate to the UK typed something like "UK visa application" into Google and landed on UK Visa Portal — a site that looks, to the untrained eye, like an official government resource. Some paid fees. Many uploaded their passports and selfies as part of what they believed was a legitimate application process.

It wasn't. Applying for a UK Electronic Travel Authorization or visa does not require a third-party service. The UK government's own GOV.UK website handles applications directly, at no premium. UK Visa Portal is one of many private intermediaries that occupy the grey zone between official services and outright scams — charging fees for a process that costs less through official channels, and in this case, storing sensitive biometric documents without adequate security.

The site has no mechanism to report security issues. There are no named executives listed anywhere on the platform. When TechCrunch emailed the company's general support address to flag the vulnerability, the response came not from management but from attorneys and a PR firm. The security editor explained that the sensitivity of the exposed data meant details couldn't be shared with a generic inbox — and asked to be connected directly to someone in leadership. No one responded. The vulnerability remains unpatched as of publication.

Why a Passport Leak Hits Differently

Sponsored

Advertise with Us

[email protected]

Sponsored

Not all data breaches are equal. Leaked email addresses are annoying. Leaked passwords can be changed. But a passport combined with a face photo is a different category of exposure.

This combination is precisely what financial fraudsters, account hijackers, and deepfake operators look for. Facial recognition bypass attacks — where someone uses a real person's photo to fool identity verification systems — are increasingly common in banking and fintech. A passport number tied to a face doesn't expire when you change your password. For many victims, the damage potential extends years beyond the breach itself.

Under UK GDPR, companies processing personal data in the UK are required to report breaches to the Information Commissioner's Office (ICO) within 72 hours of becoming aware. Whether UK Visa Portal has done so is unknown. The ICO did not immediately comment.

The Ecosystem That Made This Possible

The deeper issue isn't just one leaky website. It's the ecosystem of lookalike services that cluster around government processes — visa applications, tax filings, driving licence renewals, passport renewals. These services exist in most countries and occupy a legal grey zone: not illegal to operate, not officially endorsed, but designed to intercept users who don't know the difference.

For regulators, the challenge is real. Banning third-party immigration services would harm legitimate immigration attorneys and advisors. But allowing any company to operate a site called "UK Visa Portal" while storing biometric data without basic security controls represents a different kind of failure — one of consumer protection infrastructure, not just cybersecurity.

Victims of this breach span nationalities. Anyone who used the site and uploaded documents should assume their data has been exposed and monitor for identity fraud activity.