A TechCrunch investigation found that a website called UK Visa Portal had published thousands of passports and selfies of applicants who paid fees to the site to obtain UK immigration visas.
An anonymous person alerted TechCrunch to the security lapse, saying at least 100,000 documents were publicly available on the website from people who uploaded their passports or selfies to the website as part of the application process.
This website is not affiliated with the UK government and we have received complaints that people have mistakenly paid fees to this company without using the official GOV.UK website.
The exposed data was secured overnight into Wednesday, hours after we published our first article on the incident. Given the highly sensitive nature of the leaked data, TechCrunch revealed that there are ongoing security issues, while withholding specific details to minimize further risk to individuals’ private information.
TechCrunch has not yet received a response from UK Visa Portal management. When we contacted them, rather than resolve the issue, the company instead sent us an attorney and a public relations firm.
The security flaw is the latest example of a company publicly exposing its customers’ government-issued identification in recent weeks, often due to a misconfiguration rather than an external cyberattack. Exposure of passports is especially problematic at a time when online identity verification is on the rise around the world, thanks to government enforcement of age verification laws.
The company’s lack of response also leaves open questions about whether it will alert affected customers that their passports have been publicly released or notify regulators under U.S. state and European data breach notification laws.
Passports, selfies, and location data leaked
The data breach occurred from a public storage server (also known as a bucket) hosted by Amazon. This server is used by the UK Visa Portal to host passports and selfies uploaded by users.
Although the contents of the bucket were not publicly visible, anyone who knew each file’s web address could access and view the files within it. The person who notified us about this exposure said that a bug in the backend of the UK Visa Portal website allows them to view the list of files contained in a bucket.
TechCrunch confirmed that the UK Visa Portal (also known as UK Visit and ETA-Pass) was the source of the data breach and verified the authenticity of the leaked data by contacting affected individuals and asking if the information was accurate.
Many of the photos uploaded by users also include their exact real-world location, revealing where the image was taken. In some cases, this location data was accurate enough to reveal the photographer’s home address.
The UK Visa Portal does not provide a way to report security issues through its website, nor does the website provide names or contact information for company management. TechCrunch sent an email to the email address listed on the UK Visa Portal website, warning it of the company’s ongoing security flaws and asking who in management could share details with to resolve the issue. TechCrunch explained that details cannot be shared with the company’s general customer support inbox because it cannot guarantee that the data released will not be misused.
A customer support representative provided TechCrunch with Michael Taylor’s name and email address. I heard he was the manager of the UK Visa Portal. That person did not respond to our inquiries.
Shortly after, lawyers from US law firm BakerHostetler and representatives from public relations firm FTI Consulting contacted TechCrunch, requesting information on the issue on the UK visa portal. In response to TechCrunch’s questions, the lawyers provided no evidence that they were authorized to speak on behalf of the company, including providing us with public records confirming the names and roles of the individuals they claim to represent. We once again pointed out that information about security lapses cannot be shared outside of the company’s control.
It added that if Taylor or another manager is willing to accept information about security lapses, they can be contacted or their attorney can copy the information into an email thread. There was no reply.
After our article was published and the bucket was secured, TechCrunch posed a series of questions to lawyers regarding security lapses. Questions posed to BakerHostetler partner Ryan Christian included how long Amazon-hosted buckets were exposed, why they were exposed, and whether the company had logs to determine whether anyone accessed or downloaded the exposed data. We also asked who, if any, is responsible for cybersecurity at the UK Visa Portal. Christian didn’t respond.
The UK Visa Portal is said to be operated by a company called Active Leadgen LLC, which claims to be a company based in the United Arab Emirates. TechCrunch was unable to independently corroborate this.
There is no need to use a third-party service to apply for a UK electronic travel authorization unless you hire an immigration lawyer. Applicants must apply via the UK Government website.
First published on May 26th, updated with additional information regarding security revocation.
If you buy through links in our articles, we may earn a small commission. This does not affect editorial independence.
Source link
