- Third-party UK Visa Portal website exposed 100,000 documents in unsecured cloud storage
- Cybercriminals with access to the affected PII can conduct identity theft or fraud
- Victims are advised to protect and monitor accounts and await notification
The UK Visa Portal, a third-party website separate from the official government offering, has reportedly left thousands of highly sensitive documents exposed in a major data breach.
Affected documents and details include passports, photos, verification selfies and other application information, leaving victims wide open to identity theft and potential financial fraud.
The problem occurred as a result of documents being stored on an unsecured server without password protection, meaning anyone with a direct link could access and view them.
UK Visa Portal applications revealed
The data exposure was specifically caused by a misconfigured cloud storage that was completely public – but worse than that, it’s also been revealed that the file directory structure allowed a predictable URL to be used, meaning attackers could easily guess or figure out the link even if they didn’t have it in the first place.
Most obviously, primary passport pages revealing full names, passport numbers, nationalities, dates of birth, places of birth, and issuance and expiration dates were included in the leak, but accompanying documents with home addresses, contact numbers, email addresses and more provided the attackers with even more PII.
TechCrunch reports that at least 100,000 documents were accessible without restrictions, and as of May 26, 2026, the issue had still not been resolved.
Many victims likely accessed the third-party website in error, believing this was the correct way to obtain an electronic travel permit – a process offered in-house by the UK government for a £20 fee.
Individuals who may have used the platform are advised to monitor and protect their credit accounts and secure online accounts with additional layers such as multi-factor authentication and access keys. Data protection laws also legally require affected individuals to be notified – it is unclear whether contact has already been made.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
