- Third-party UK Visa portal website exposed 100,000 documents in insecure cloud repository
- Cybercriminals with access to affected personal information could commit identity theft or fraud.
- Victims are advised to protect and monitor their accounts and wait for notification
UK Visa Portal, a third-party website separate from the government’s official offering, is believed to have left thousands of highly sensitive documents exposed in a major data breach.
Affected documents and details include passports, photos, verification selfies and other application information, leaving victims widely exposed to identity theft and potential financial fraud.
The problem was caused by documents being stored on an insecure server without password protection, meaning anyone with a direct link could access and view them.
UK visa portal apps exposed
The data exposure was caused specifically by a misconfigured cloud storage repository that was entirely public – but worse, it was also revealed that the allowed file directory structure used a predictable URL, meaning attackers could easily guess or determine the link even if they didn’t have it to begin with.
Obviously, the main pages of the passport exposing full names, passport numbers, nationalities, dates of birth, places of birth, and dates of issue and expiration were included in the leak, but accompanying documents providing home addresses, phone numbers, email addresses and more provided the attackers with even more personal information.
TechCrunch reports that at least 100,000 documents were available without restrictions and that as of May 26, 2026, the problem had still not been resolved.
Many victims likely accessed the third-party website by mistake, thinking it was the correct way to obtain an electronic travel authorization – a process the UK government offers in-house for a £20 fee.
Those who may have used the platform are advised to monitor and protect their credit accounts and secure their online accounts with additional layers such as multi-factor authentication and passwords. Data protection laws also require that data subjects be informed – it is not clear whether contact has already been made.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
