UK Visa Portal exposed thousands of applicants’ passports and selfies — then called the lawyers on us - BERITAJA

A website called UK Visa Portal publically exposed thousands of passports and selfie photos of applicants who paid the tract to get a U.K. migration visa, TechCrunch has learned.

An anonymous personification notified TechCrunch about the information lapse, saying that the website was exposing astatine slightest 100,000 documents from group who uploaded their passports and selfies to the website arsenic portion of the exertion process.

The website is not affiliated pinch the U.K. government, and some person complained that they mistakenly paid a interest to this institution alternatively of using the charismatic GOV.UK website.

The exposed information was secured overnight into Wednesday, hours aft we published our first communicative about the incident. Given the highly delicate quality of the exposed data, TechCrunch revealed that location was an ongoing information issue, while withholding circumstantial specifications to minimize immoderate further consequence to individuals’ backstage information.

TechCrunch has still not heard backmost from UK Visa Portal’s management. Rather than fixing the rumor erstwhile we reached out, the institution sent its attorneys and nationalist relations patient our measurement instead.

The information lapse is the latest illustration of companies publically exposing their customers’ delicate government-issued personality documents successful caller weeks, often caused by a misconfiguration alternatively than an extracurricular cyberattack. The vulnerability of passports is particularly problematic astatine a clip erstwhile online personality checks are connected the emergence about the world, acknowledgment to governments rolling retired property verification laws.

The company’s deficiency of consequence besides leaves unfastened questions about whether it will alert affected customers that their passports were publically exposed, aliases notify regulators arsenic required nether U.S. authorities and European information breach notification laws.

Exposed passports, selfies, and location data

The information spill stemmed from a nationalist Amazon-hosted retention server (also known arsenic a bucket), which UK Visa Portal uses for hosting user-uploaded passports and selfies.

While the bucket was not publically listing its contents, the files wrong were still accessible and viewable to anyone who knew the web reside of each file. The personification who notified america about the vulnerability said a bug connected the UK Visa Portal website’s backend allowed them to position the database of files contained successful the bucket.

TechCrunch confirmed that UK Visa Portal (also known arsenic UK Visit and ETA-Pass) was the root of the information leak and verified the authenticity of the exposed information by contacting affected individuals to inquire if their accusation was accurate.

Many of the user-uploaded photos besides contained the precise real-world location, revealing wherever the images were taken; successful immoderate cases, this location information was meticulous capable to expose the image taker’s location address.

UK Visa Portal does not supply a measurement to study information issues done its website, nor does its website supply names aliases interaction accusation for the company’s management. TechCrunch sent an email to the email reside listed connected UK Visa Portal’s website, alerting them that the institution had an ongoing information lapse, and asking pinch whom successful guidance we could stock specifications to resoluteness the issue. TechCrunch explained that we could not stock specifics pinch the company’s wide customer support inbox because we could not guarantee that the exposed information would not beryllium misused.

The customer support personification provided TechCrunch pinch the sanction and email reside of Michael Taylor, who we were told is simply a head astatine UK Visa Portal. The personification did not reply to our inquiry.

Soon after, attorneys pinch U.S. rule patient BakerHostetler and representatives pinch nationalist relations patient FTI Consulting contacted TechCrunch seeking accusation about the rumor astatine UK Visa Portal. When asked by TechCrunch, the attorneys would not supply grounds that they were authorized to speak connected behalf of the company, specified arsenic by providing america a nationalist grounds confirming the sanction and domiciled of the individuals they declare to represent. We noted again that we could not stock accusation about the information lapse extracurricular of the company’s management. 

We added that if Taylor, aliases different manager, is consenting to judge accusation about the information lapse, they could scope retired — aliases the attorneys could transcript them connected the email thread. We did not perceive back.

After our communicative was published and the bucket secured, TechCrunch presented the attorneys pinch a bid of questions about the information lapse. The questions we asked BakerHostetler partner Ryan Christian included really agelong the Amazon-hosted bucket was exposed, the logic it was exposed, and if the institution had immoderate logs to find if anyone accessed aliases downloaded the exposed data. We besides asked who astatine UK Visa Portal is responsible for cybersecurity, if anyone. Christian did not respond. 

UK Visa Portal is allegedly tally by a institution called Active Leadgen LLC, which purports to beryllium a institution based successful the United Arab Emirates. TechCrunch could not independently corroborate this.

It is not basal to usage a third-party work to use for a U.K. physics recreation authorization, unless you are retaining an migration attorney, and applicants should apply done the U.K. government’s website.

First published connected May 26, and updated pinch further accusation about the information lapse.