An unofficial website calling itself UK Visa Portal has exposed the passports and selfie photos of visa applicants, and the security flaw remains unpatched, according to TechCrunch, which reported the breach on 26 May.
What the breach exposes
The site, which is not affiliated with the U.K. government, collects identity documents from applicants seeking a U.K. electronic travel authorization (ETA). TechCrunch reported that documents — including high-resolution passport scans and biometric-style selfies — were publicly accessible, and verified the authenticity of the exposed data by contacting affected individuals directly.
The combination of passport image plus matching selfie is particularly valuable for identity fraud, as this pair is what KYC systems at banks, crypto exchanges, and remittance services typically require to onboard a user.
The disclosure dead-end
TechCrunch reports that UK Visa Portal provides no security disclosure channel and no named management contacts on its website. The response to TechCrunch’s inquiry came from the company’s purported attorneys and public relations firm rather than any technical owner. At the time of TechCrunch’s reporting, the security lapse had not been fixed.
That structure — a customer-facing storefront wrapped around legal and PR intermediaries with no identifiable engineering owner — is increasingly typical of the third-party immigration services layer that has grown up around government visa portals worldwide.
The look-alike economy
The authorisation is issued directly by the Home Office through the official GOV.UK service. Yet a parallel market of look-alike portals — surfaced through search-engine ads and SEO — captures users who assume the first result is the official one.
Visitors to the r/ukvisa subreddit have repeatedly flagged confusion over whether UK Visa Portal is a legitimate government channel, with some reporting they paid fees in the belief that they were using an official service.
The structural gap
The UK’s ETA scheme, which the BBC has explained expanded to cover most non-visa nationals through 2025, has dramatically widened the pool of travellers required to submit biometric data to a U.K.-facing application form. That expansion has created commercial demand the official portal does not capture: travellers unfamiliar with GOV.UK’s interface, or routed via Google search, end up at intermediaries.
These intermediaries operate without a licensing regime. Unlike regulated immigration advisers, an ETA reseller needs no accreditation to collect passports and selfies at scale. The data-protection liability sits with whichever entity is named as controller — which, in UK Visa Portal’s case, is not publicly identified.
Why the leak persists
The institutional incentive to fix a breach is proportional to the cost of not fixing it. For an operator with no public-facing management, no security contact, and a revenue model built on inbound search traffic rather than repeat custom, the cost of an unpatched leak is close to zero until a regulator forces the issue. The Information Commissioner’s Office has the authority to act on UK-resident data, but enforcement against opaque corporate structures has historically been slow.
Travellers applying for a U.K. ETA should submit applications through the official government website.
