A website called UK Visa Portal is publicly exposing the passport scans and selfie photos of at least 100,000 people who paid the site to assist with U.K. immigration visa applications, TechCrunch security editor Zack Whittaker reported Tuesday following a tip from an anonymous source. TechCrunch verified the authenticity of the exposed data by contacting affected individuals directly. The website is not affiliated with the U.K. government; Reddit posts show that a significant number of users paid fees to UK Visa Portal under the mistaken impression it was an official channel, when applicants can apply for a U.K. Electronic Travel Authorisation at no third-party cost through the official GOV.UK website. The company provides no named management contacts, no security disclosure address, and no public ownership information on its site.
When TechCrunch attempted to notify the company of the ongoing exposure, it received responses from the company’s purported attorneys and a public relations firm rather than anyone in management — and the vulnerability remained unpatched at publication. Because TechCrunch could not guarantee that a general customer support inbox would not itself misuse the exposed data, it declined to share technical specifics with those intermediaries and asked to be connected directly with management; no such contact was provided. TechCrunch is withholding precise technical details of the vulnerability to limit further risk to affected individuals.