It was just a bucket.
A public storage bucket on Amazon. That’s where UK Visa Portal parked the passports and selfies of thousands of people who thought they were getting immigration help.
TechCrunch learned the site was exposing at least 100,00 documents. Not metadata. The actual files. Clear. Visible. Available to anyone with the right link.
An anonymous source tipped us off.
They found a bug. It let them see the list.
This isn’t the U.K. government. This isn’t GOV.UK. This is a private company that takes fees for services you can get yourself for free or through official channels. People pay them by mistake. Or by design. It’s hard to tell when the site offers zero way to report a breach. Zero names on the contact page. Just a black box.
“We withheld specifics to minimize risk.”
We did our job. We published that something was wrong. We didn’t paste the URLs. We wanted to force a fix, not facilitate a data harvest.
By Wednesday night, the bucket was locked.
Silence from management followed.
Lawyers before fixes
Did they patch it first? Did they warn their users?
No. They called BakerHostetler. A U.S. law firm.
And FTI Consulting. A PR shop.
We tried to reach management. The customer support bot gave us an email for a Michael Taylor. Said he was a manager. He didn’t reply.
So the lawyers stepped in.
They asked us for info.
We asked for proof they represented UK Visa Portal. Public record. Court filing. Something.
They didn’t provide it.
We said fine. Copy Mr. Taylor. Have him reply.
Radio silence.
What exactly went missing?
The data was sitting in an Amazon-hosted server. Technically not “listing” files to the public eye, but the links themselves worked.
Passports. Selfies.
Some of those photos had EXIF data intact. Location coordinates.
Precise enough to reveal a home address in some cases.
Is it any wonder identity theft is booming?
We verified the leak. We contacted actual humans who submitted data to the site. They confirmed it was them. The documents were real. The risk was real.
The exposure highlights a broader, uglier trend.
Companies are misconfiguring storage. Again and again.
Governments are pushing age verification laws. More identity checks. More documents uploaded to shaky platforms. The target gets bigger every day.
UK Visa Portal (also called UK Visit or ETA-Pass ) claims to be run by Active Leadgen LLC, allegedly based in the U.A.E. We couldn’t confirm that part. It seems to be another shell.
Still no accountability
BakerHostetler partner Ryan Christian got a list of questions.
- How long was it exposed?
- Why did it happen?
- Do you have logs of who downloaded the data?
- Who is in charge of security there?
He didn’t respond.
It is illegal under U.S. and European law to ignore breaches. Notification requirements exist.
UK Visa Portal hasn’t notified anyone.
Applicants need to know this isn’t mandatory. You do not need a third party. Use the official U.K. government website. Save the fee. Save your face.
We published the first warning on May 26.
The bucket is closed now.
The lawyers are waiting for us. The managers are ghosting us.
And 100,00 people? They’re just waiting for someone to tell them they should check their credit monitoring.
If they ever hear.
