A web site referred to as UK Visa Portal publicly uncovered 1000’s of passports and selfie images of candidates who paid the location to acquire a U.Ok. immigration visa, TechCrunch has discovered.
An nameless particular person notified TechCrunch concerning the safety lapse, saying that the web site was exposing at the least 100,000 paperwork from individuals who uploaded their passports and selfies to the web site as a part of the applying course of.
The web site shouldn’t be affiliated with the U.Ok. authorities, and some have complained that they mistakenly paid a price to this firm as a substitute of using the official GOV.UK website.
The uncovered knowledge was secured in a single day into Wednesday, hours after we printed our preliminary story concerning the incident. Given the extremely delicate nature of the uncovered knowledge, TechCrunch revealed that there was an ongoing safety subject, whereas withholding particular particulars to attenuate any extra threat to people’ non-public data.
TechCrunch has nonetheless not heard again from UK Visa Portal’s administration. Somewhat than fixing the difficulty once we reached out, the corporate despatched its attorneys and public relations agency our approach as a substitute.
The safety lapse is the newest instance of corporations publicly exposing their clients’ delicate government-issued identification paperwork in current weeks, usually brought on by a misconfiguration somewhat than an outdoor cyberattack. The publicity of passports is particularly problematic at a time when on-line identification checks are on the rise around the globe, because of governments rolling out age verification laws.
The corporate’s lack of response additionally leaves open questions on whether or not it’ll alert affected clients that their passports had been publicly uncovered, or notify regulators as required beneath U.S. state and European knowledge breach notification legal guidelines.
Uncovered passports, selfies, and placement knowledge
The information spill stemmed from a public Amazon-hosted storage server (also referred to as a bucket), which UK Visa Portal makes use of for internet hosting user-uploaded passports and selfies.
Whereas the bucket was not publicly itemizing its contents, the recordsdata inside had been nonetheless accessible and viewable to anybody who knew the net handle of every file. The one that notified us concerning the publicity stated a bug on the UK Visa Portal web site’s backend allowed them to view the checklist of recordsdata contained within the bucket.
TechCrunch confirmed that UK Visa Portal (also referred to as UK Visit and ETA-Pass) was the supply of the information leak and verified the authenticity of the uncovered knowledge by contacting affected people to ask if their data was correct.
Most of the user-uploaded images additionally contained the exact real-world location, revealing the place the pictures had been taken; in some instances, this location knowledge was correct sufficient to reveal the picture taker’s residence handle.
UK Visa Portal doesn’t present a strategy to report safety points by means of its web site, nor does its web site present names or contact data for the corporate’s administration. TechCrunch despatched an electronic mail to the e-mail handle listed on UK Visa Portal’s web site, alerting them that the corporate had an ongoing safety lapse, and asking with whom in administration we might share particulars to resolve the difficulty. TechCrunch defined that we couldn’t share specifics with the corporate’s basic buyer help inbox as a result of we couldn’t assure that the uncovered knowledge wouldn’t be misused.
The client help particular person offered TechCrunch with the identify and electronic mail handle of Michael Taylor, who we had been informed is a supervisor at UK Visa Portal. The particular person didn’t reply to our inquiry.
Quickly after, attorneys with U.S. legislation agency BakerHostetler and representatives with public relations agency FTI Consulting contacted TechCrunch in search of details about the difficulty at UK Visa Portal. When requested by TechCrunch, the attorneys wouldn’t present proof that they had been approved to talk on behalf of the corporate, resembling by offering us a public file confirming the identify and function of the people they declare to characterize. We famous once more that we couldn’t share details about the safety lapse outdoors of the corporate’s administration.
We added that if Taylor, or one other supervisor, is keen to simply accept details about the safety lapse, they’ll attain out — or the attorneys can copy them on the e-mail thread. We didn’t hear again.
After our story was printed and the bucket secured, TechCrunch introduced the attorneys with a sequence of questions concerning the safety lapse. The questions we requested BakerHostetler companion Ryan Christian included how lengthy the Amazon-hosted bucket was uncovered, the rationale it was uncovered, and if the corporate had any logs to find out if anybody accessed or downloaded the uncovered knowledge. We additionally requested who at UK Visa Portal is accountable for cybersecurity, if anybody. Christian didn’t reply.
UK Visa Portal is allegedly run by an organization referred to as Energetic Leadgen LLC, which purports to be an organization primarily based within the United Arab Emirates. TechCrunch couldn’t independently corroborate this.
It isn’t obligatory to make use of a third-party service to use for a U.Ok. digital journey authorization, except you’re retaining an immigration legal professional, and candidates ought to apply through the U.K. government’s website.
First printed on Might 26, and up to date with extra details about the safety lapse.
If you buy by means of hyperlinks in our articles, we may earn a small commission. This doesn’t have an effect on our editorial independence.
