A fake UK visa site has been leaking 100,000 passports and selfies for weeks, and the part nobody is talking about is why the operator has zero incentive to fix it

An unofficial website calling itself UK Visa Portal has exposed the passports and selfie photos of visa applicants, and the security flaw remains unpatched, according to TechCrunch, which reported the breach on 26 May.

What the breach exposes

The site, which is not affiliated with the U.K. government, collects identity documents from applicants seeking a U.K. electronic travel authorization (ETA). TechCrunch reported that documents — including high-resolution passport scans and biometric-style selfies — were publicly accessible, and verified the authenticity of the exposed data by contacting affected individuals directly.

The combination of passport image plus matching selfie is particularly valuable for identity fraud, as this pair is what KYC systems at banks, crypto exchanges, and remittance services typically require to onboard a user.

The disclosure dead-end

TechCrunch reports that UK Visa Portal provides no security disclosure channel and no named management contacts on its website. The response to TechCrunch’s inquiry came from the company’s purported attorneys and public relations firm rather than any technical owner. At the time of TechCrunch’s reporting, the security lapse had not been fixed.

That structure — a customer-facing storefront wrapped around legal and PR intermediaries with no identifiable engineering owner — is increasingly typical of the third-party immigration services layer that has grown up around government visa portals worldwide.

The look-alike economy

The authorisation is issued directly by the Home Office through the official GOV.UK service. Yet a parallel market of look-alike portals — surfaced through search-engine ads and SEO — captures users who assume the first result is the official one.

Visitors to the r/ukvisa subreddit have repeatedly flagged confusion over whether UK Visa Portal is a legitimate government channel, with some reporting they paid fees in the belief that they were using an official service.

The structural gap

The UK’s ETA scheme, which the BBC has explained expanded to cover most non-visa nationals through 2025, has dramatically widened the pool of travellers required to submit biometric data to a U.K.-facing application form. That expansion has created commercial demand the official portal does not capture: travellers unfamiliar with GOV.UK’s interface, or routed via Google search, end up at intermediaries.

These intermediaries operate without a licensing regime. Unlike regulated immigration advisers, an ETA reseller needs no accreditation to collect passports and selfies at scale. The data-protection liability sits with whichever entity is named as controller — which, in UK Visa Portal’s case, is not publicly identified.

Why the leak persists

The institutional incentive to fix a breach is proportional to the cost of not fixing it. For an operator with no public-facing management, no security contact, and a revenue model built on inbound search traffic rather than repeat custom, the cost of an unpatched leak is close to zero until a regulator forces the issue. The Information Commissioner’s Office has the authority to act on UK-resident data, but enforcement against opaque corporate structures has historically been slow.

Travellers applying for a U.K. ETA should submit applications through the official government website.