A website called UK Visa Portal is publicly exposing the passports and selfie photos of thousands of people who paid it to help process a UK immigration visa. Security researcher Zack Whittaker reported the exposure on Tuesday, May 26, after an anonymous tipoff. YourNewsClub reported on this as soon as the disclosure became public: at least 100,000 documents are exposed. The site is not affiliated with the UK government. Some users paid fees to it under the mistaken belief it was the official application portal.
Whittaker verified the authenticity of the exposed data by contacting affected individuals directly. The documents – passport scans and identity selfies – sit at the most sensitive end of personal data: they combine biometric images with document numbers, date of birth, nationality, and full legal name, creating conditions for identity fraud, impersonation, and targeted phishing at scale. The site had no mechanism for reporting security issues. No names or management contacts appeared on the website.
Whittaker contacted UK Visa Portal via the email address on its website to alert the company to the ongoing exposure. Rather than receiving a management contact in return, he heard from purported attorneys and a public relations firm. He explained that given the sensitivity of the exposed data, he could not share technical specifics with a general customer support inbox. As of publication on Tuesday, the exposure had still not been fixed. YourNewsClub treats the decision to engage attorneys and PR rather than a security team as the most telling organisational signal in this story.
The site exploits a well-documented confusion pattern. Applicants seeking a UK Electronic Travel Authorisation do not need a third-party service unless they retain an immigration attorney. People who search for “UK visa application” frequently land on commercial intermediaries, some of which look and operate like official government portals while charging fees for a process that costs less or nothing on the actual government website. The UK government’s official application route runs through GOV.UK.
UK data protection law requires organisations that collect personal data to implement appropriate technical and organisational measures to secure it, and to notify affected individuals and the Information Commissioner’s Office within 72 hours of becoming aware of a breach. A live exposure that the company’s own management has not acknowledged after being specifically notified constitutes a likely breach of those obligations. YourNewsClub notes that the ICO has authority to fine organisations up to £17.5 million or 4% of global annual turnover, whichever is higher, for serious violations of UK GDPR.
The pattern here is not new. Third-party visa and passport intermediaries have a long history of creating confusion, collecting fees, and handling sensitive documents without the security infrastructure that handling those documents requires. UK Home Office data shows that more than 1.5 million electronic travel authorisation applications arrived in 2025, creating a large pool of applicants who searched online and may have landed on commercial lookalikes. What makes the UK Visa Portal case notable is the documented scale – more than 100,000 documents – and the specific response to a security disclosure: attorneys instead of a security patch. YourNewsClub flags that response sequence as the detail that transforms this from a technical incident into an organisational accountability story.
The practical risk for affected individuals is immediate: exposed passport scans and selfies can be used to create fraudulent identity documents, pass identity verification checks at financial institutions, and build targeted social engineering attacks. Most affected individuals do not know their documents are accessible. Whittaker’s reporting did not publish precise technical details to minimise further risk, but the exposure remained live as of publication time.
Three things to watch: whether UK Visa Portal fixes the exposure in the days following publication; whether the Information Commissioner’s Office opens an investigation; and whether affected individuals receive any formal notification, which UK GDPR requires. The security desk at Your News Club calls this an active, unresolved situation where the company’s silence makes the exposure ongoing rather than historical. The moment the breach gets fixed, the notification clock starts.