- UK Visa Portal External Website Exposed 100,000 Documents in Unsecured Cloud Repository
- Cybercriminals with access to affected PII could carry out identity theft or fraud
- Victims are advised to protect and monitor accounts and wait for notification
The UK Visa Portal, a third-party website independent of the government’s official offering, has reportedly left thousands of highly sensitive documents exposed in a major data breach.
The affected documents and details include passports, photographs, verification selfies and other application information, leaving victims widely exposed to identity theft and potential financial fraud.
The issue occurred as a result of the documents being stored on an unsecured server without password protection, meaning anyone with a direct link could access and view them.
UK Visa Portal Applications Exposed
The data exposure was specifically caused by a misconfigured cloud storage repository that was completely public, but worse than that, it was also revealed that the file directory structure allowed a predictable URL to be used, meaning attackers could easily guess or decrypt the link even if they didn’t have it in the first place.
Most obviously, the breach included passport main pages exposing full names, passport numbers, nationalities, dates of birth, places of birth, and issuance and expiration dates, but accompanying documents that provided home addresses, contact numbers, email addresses, and more provided the attackers with even more PII.
TechCrunch reports that at least 100,000 documents were available without restrictions and, as of May 26, 2026, the issue had not yet been addressed.
Many victims are likely to have mistakenly accessed the third-party website, believing this was the correct way to obtain an electronic travel authorisation, a process the UK Government offers internally for a fee of £20.
People who have used the platform are encouraged to monitor and protect their credit accounts and protect their online accounts with additional layers such as multi-factor authentication and passcodes. Data protection laws also legally require that affected individuals be notified; It is not clear if contact has already been established.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
