The passport scans and selfie photos of at least 100,000 people were somewhere on an Amazon storage server, quietly and publicly available to anybody with the correct web address. Some of those pictures had embedded GPS coordinates that were accurate enough to show the location of the picture, and in a few instances, accurate enough to identify a person’s house. a number from a passport. a face. A place. One file for everything. That is all that is needed for identity fraud, and for an undisclosed period of time, this information was practically accessible to anyone who went looking.
UK Visa Portal is the name of the website in question. The British government is not in charge of it. It has no connection to any government immigration agency. According to most reasonable assessments, it is a third-party service that charges fees to assist individuals in applying for UK electronic travel authorizations. It appears to be run by Active Leadgen LLC, a company registered in the UAE. The actual application is free, takes a few minutes to complete, and can be found on GOV.UK. Even so, thousands of people used the UK Visa Portal, perhaps because government websites can be confusing or because a well-designed third-party website happened to show up in a search result at the perfect time.
A sophisticated cyberattack was not the cause of the leak. No ransomware, no intricate breach, no hacker in a dark room. A public Amazon storage bucket that wasn’t publicly listing its contents but whose individual files were fully accessible to anyone with the direct web address was a configuration error. It appears that the address list could be viewed due to a bug in the back end of the website. The exposure was simple after that. In cybersecurity, this is a common and annoying pattern. External threats are not always the source of the damage. Sometimes no one checks, so a server is simply left open.
TechCrunch contacted UK Visa Portal using its provided email address after learning about the lapse from an anonymous tipster. It was not a direct response from management, nor was it a fix or an acknowledgement. Instead, lawyers from the American legal firm BakerHostetler and representatives from the public relations firm FTI Consulting showed up. Neither was able to offer formal proof that they were permitted to speak on the company’s behalf. The journalists’ stance remained constant: they were not allowed to provide unverified intermediaries with technical details regarding an active security breach. A straightforward solution was suggested: either get copied on the thread or have a manager respond directly. No one did.
It’s difficult not to interpret that answer in some way. It’s a common crisis management tactic to turn to attorneys and communications specialists before addressing the real issue, but it’s especially bad when the issue involves people’s biometric information being exposed online. Hours after TechCrunch released its first article, the bucket was secured overnight and into Wednesday. Ryan Christian, a partner at BakerHostetler, declined to comment on how long it had been open before that.
This is more than just a single improperly configured server. Globally, governments are putting more of the immigration and visa process online, implementing age-verification legislation, and growing online identity verification systems. Due to this change, there is an increasing market for third-party services that are prepared to set up shop next to official government procedures in order to obtain private documents from individuals who might not fully comprehend the difference between an official website and a convincing replica. It is unlikely that UK Visa Portal will be the last business in that industry to handle its data improperly.
It’s unclear what happens to those whose data was compromised. It’s unclear if the UK Visa Portal will inform impacted applicants or notify authorities of the breach as required by data protection laws in various jurisdictions. The incident has yet to be publicly acknowledged by the company. Some of the people who uploaded their passports to that website seem to feel that the story hasn’t truly ended yet; it’s just been relocated to a less obvious location.
