A website called UK Visa Portal is publicly exposing the passports and selfie photos of applicants who signed up and paid the site to obtain a U.K immigration visa, TechCrunch has learned.
An anonymous person notified TechCrunch about the security lapse, saying that the website is exposing at least 100,000 documents from people who uploaded their passports and selfies to the website as part of the application process.
The website is not affiliated with the U.K. government, and some have complained that they mistakenly paid a fee to this company instead of using the official GOV.UK website.
TechCrunch confirmed that UK Visa Portal is the source of the data leak and verified the authenticity of the exposed data by contacting affected individuals to ask if their information was accurate.
UK Visa Portal does not have a way to report security issues through its website, nor does its website provide names or contact information for the company’s management. TechCrunch sent an email to the address listed on UK Visa Portal’s website to alert the company that it has an ongoing security lapse and to ask who in management can accept specific details to resolve the issue. Given the sensitivity of the exposed data, TechCrunch explained that it could not share specifics with the company’s general customer support inbox because it could not guarantee that the exposed data would not be misused.
Instead, TechCrunch heard back from the company’s purported attorneys and public relations firm. TechCrunch explained again that given the nature of the exposed files, it could only share details directly with the company’s management, and asked that they put TechCrunch in touch with them.
TechCrunch has not heard back from UK Visa Portal’s management. The security lapse has still not been fixed.
While the security issue is ongoing, TechCrunch believes it’s in the public interest that people who use the company’s services are aware of the issue. TechCrunch is not publishing precise details in an effort to minimize any further risk to their information.
It is not necessary to use a third-party service to apply for a U.K. electronic travel authorization, unless you are retaining an immigration attorney, and applicants should apply through the U.K. government’s website.
Source: TechCrunch
