UK Visa Portal website leaks thousands of user passport data and photos online

Affected documents and details include passports, photos, verification selfies and other application information, leaving victims widely open to identity theft and potential financial fraud.

The issue happened as a result of documents being stored on an unsecured server without password protection, meaning anyone with a direct link could access and view them.

UK Visa Portal applications exposed

The data exposure was caused specifically by a misconfigured cloud storage repository that was entirely public – but worse than that, it's also been revealed that the file directory structure allowed used a predictable URL, meaning attackers could easily guess or work out the link even if they didn't have it in the first place.

Most evidently, primary passport pages exposing full names, passport numbers, nationalities, dates of birth, places of birth, and issue and expiry dates were included in the leak, but accompanying documents providing home addresses, contact numbers, email addresses and more provided attackers with even more PII.

TechCrunch reports at least 100,000 documents were available without restrictions, and as of May 26 2026, the issue had still not been addressed.

Many victims likely accessed the third-party website erroneously, believing this was the correct way to obtain an Electronic Travel Authorization – a process that the UK government offers in-house for a £20 fee.

Individuals who may have used the platform are being advised to monitor and protect their credit accounts and to secure online accounts with additional layers like multi-factor authentication and passkeys. Data protection laws also legally require affected individuals to be notified – it's unclear if contact has already been made.