A third-party UK visa site exposed passports and selfies on a public AWS server. It’s not official GOV.UK and affected at least 100,000 documents.
UK Visa Portal is not run by the British government. It’s a third-party service, apparently operated by a UAE-registered company called Active Leadgen LLC, that charges fees to help people apply for UK electronic travel authorizations. You don’t need it. The actual application takes minutes on GOV.UK and costs nothing extra. Thousands of people used it anyway, and now their passports and selfies have been sitting exposed on a public Amazon storage server.
TechCrunch learned about the leak from an anonymous tipster who said the site was exposing at least 100,000 documents.
“While the bucket was not publicly listing its contents, the files within were still accessible and viewable to anyone who knew the web address of each file.” reads the report published by TechCrunch.”The person who notified us about the exposure said a bug on the UK Visa Portal website’s back end allowed them to view the list of files contained in the bucket.”
TechCrunch confirmed the exposure and verified it was real by contacting affected individuals directly.
The data wasn’t just passport scans. Many of the uploaded selfies also carried embedded GPS coordinates, accurate enough in some cases to identify the photographer’s home address. That’s a passport number, a face, and a home address in a single file. Identity thieves don’t need more than that.
Passport exposure is especially concerning as governments increasingly use online identity checks and age verification laws.
TechCrunch emailed the UK Visa Portal’s support address, explaining there was an active security lapse and asking for a manager to contact them with details. The company’s customer support agent provided the name and email of someone identified as a manager, however, that person didn’t respond. What arrived instead were attorneys from BakerHostetler and representatives from PR firm FTI Consulting, neither of whom could provide written confirmation they were authorized to speak on the company’s behalf.
The journalists’ position was consistent throughout: they couldn’t share details about the lapse with lawyers whose authority to act for the company hadn’t been verified, because they couldn’t guarantee the exposed data wouldn’t be misused. They offered a simple alternative: have the manager email directly or get copied into the thread. Nobody did.
“TechCrunch has still not heard back from UK Visa Portal’s management. Rather than fixing the issue when we reached out, the company sent its attorneys and public relations firm our way instead.” continues TechCrunch.
A classic crisis communications move: hire expensive people to stall while the damage continues.
The bucket was secured overnight into Wednesday, hours after TechCrunch published its initial story. At the time of writing, the company still hadn’t explained how long the server was exposed.
“After our story was published and the bucket secured, TechCrunch presented the attorneys with a series of questions about the security lapse.” concludes the report. “The questions we asked BakerHostetler partner Ryan Christian included how long the Amazon-hosted bucket was exposed, the reason it was exposed, and if the company had any logs to determine if anyone accessed or downloaded the exposed data. We also asked who at UK Visa Portal is responsible for cybersecurity, if anyone. Christian did not respond.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, UK Visa)
