UK Visa Portal website leaks thousands of user passport data and photos online

News
By published

100,000 documents allegedly leaked

Hand holding Australian passport
(Image credit: Atstock Productions / Getty Images)
  • Third-party UK Visa Portal website exposed 100,000 docs in an unsecured cloud repository
  • Cybercriminals with access to the affected PII could conduct identity theft or fraud
  • Victims advised to protect and monitor accounts, and await notification

UK Visa Portal, a third-party website separate from the official government offering, has reportedly left thousands of highly sensitive documents exposed in a major data leak.

Affected documents and details include passports, photos, verification selfies and other application information, leaving victims widely open to identity theft and potential financial fraud.

The issue happened as a result of documents being stored on an unsecured server without password protection, meaning anyone with a direct link could access and view them.

Latest Videos From

UK Visa Portal applications exposed

The data exposure was caused specifically by a misconfigured cloud storage repository that was entirely public – but worse than that, it's also been revealed that the file directory structure allowed used a predictable URL, meaning attackers could easily guess or work out the link even if they didn't have it in the first place.

Most evidently, primary passport pages exposing full names, passport numbers, nationalities, dates of birth, places of birth, and issue and expiry dates were included in the leak, but accompanying documents providing home addresses, contact numbers, email addresses and more provided attackers with even more PII.

TechCrunch reports at least 100,000 documents were available without restrictions, and as of May 26 2026, the issue had still not been addressed.

Many victims likely accessed the third-party website erroneously, believing this was the correct way to obtain an Electronic Travel Authorization – a process that the UK government offers in-house for a £20 fee.

Individuals who may have used the platform are being advised to monitor and protect their credit accounts and to secure online accounts with additional layers like multi-factor authentication and passkeys. Data protection laws also legally require affected individuals to be notified – it's unclear if contact has already been made.

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Craig Hale
Craig Hale

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.