UK visa portal leaks 100,000 sensitive applicant documents online

A U.K.-focused visa service left a large cache of passports, selfie photos and other identity documents publicly exposed online, putting at least 100,000 applicant files at risk of misuse. The material belonged to people who paid UK Visa Portal for help with immigration paperwork, a sharp reminder that a document-handling mistake can quickly become an identity-theft problem when it involves travel records, facial images and passport scans.

The exposure is especially troubling because some applicants appear to have believed they were using an official or government-linked route. In reality, the government’s own electronic travel authorisation applications are handled through GOV.UK, where an ETA currently costs £20 and is required for many short visits of up to six months unless the traveler already holds a visa or another immigration status. The Home Office began enforcing ETA requirements for non-visa nationals on 25 February 2025 as part of a more streamlined, digital immigration system.

That makes the private-service confusion more than a branding problem. For migrants, visitors and families trying to navigate a fast-changing immigration system, a site that looks official enough to collect payment and upload passport images can become a trap: it can harvest highly sensitive records while offering none of the protections people expect from the state. If criminals gain access, the exposed files could be used for fraud, impersonation or other forms of abuse that follow a person long after a trip is over.

The deeper concern is how long the exposure remained uncorrected. The site did not have a normal security-reporting path, and identifiable management contact details were not easy to find, which slowed efforts to raise the alarm. When the address listed on the company website was contacted, the reply came from purported attorneys and a public-relations firm rather than management itself. The leak was still not fixed as of May 26, 2026.

The case also raises regulatory questions. The Information Commissioner’s Office says qualifying personal-data breaches should generally be reported within 72 hours of awareness where feasible, and affected individuals should be notified without undue delay when the risk is high. For a company handling passport scans and selfies, that standard is not abstract. It is the minimum expectation when exposed files can become a permanent security risk for people who were trying to enter the United Kingdom legally and safely.