The UK Visa Portal website is publicly exposing passports and selfies of visa applicants to the UK — and has yet to patch the vulnerability, according to TechCrunch. An anonymous source told TechCrunch that at least 100,000 documents have been compromised. TechCrunch confirmed the authenticity of the data by directly contacting victims.
UK Visa Portal is not an official UK government website — the official site is GOV.UK. Many users have reported accidentally paying fees to this site instead of submitting applications through the official channel.
TechCrunch contacted the company to warn them but only received responses from their lawyers and PR firm. The UK Visa Portal leadership has not commented. The website also lacks a security vulnerability reporting mechanism. As of the time of publication, the vulnerability remains.
A passport combined with a selfie is the ideal data pair for identity fraud — and cannot be 'changed' like a password.
Analysis
This breach is not merely a technical incident — it is a typical consequence of a business model that exploits user confusion. UK Visa Portal operates in a legal gray zone: not a government agency, not a licensed law office, yet it collects visa processing fees and stores customers' most sensitive biometric data — passports and facial photographs.
This model is not new. Similar "visa agent" websites have proliferated in the United States, Australia, and Canada, targeting immigrants with limited English proficiency or unfamiliarity with administrative procedures. When incidents occur, they lack security vulnerability reporting mechanisms, have no clear accountability, and their first response is lawyers and PR — not engineers.
A passport combined with a selfie is the ideal data pair for identity fraud and document forgery. Unlike passwords, passports cannot be "changed" with a few clicks. Victims will face risks that persist for years.
What is alarming is that the company remains silent despite being warned. This indicates they lack either the capability — or the will — to treat security issues seriously.
Diaspora Impact
Two groups within the Vietnamese diaspora community in the United States face direct risk from this incident.
First, OPT and STEM OPT students planning to study or intern in the UK — concentrated particularly in cities like San Jose, Houston, and Philadelphia — may have used UK Visa Portal instead of GOV.UK because this site ranks high in search results. If their passports and photographs are leaked, the risk of identity fraud could affect pending H-1B visa applications or green card applications being processed in parallel.
Second, first-generation relatives applying for visitor visas to the UK to visit children and grandchildren settled there — a group with limited familiarity with online administrative procedures who are easily directed to unofficial websites. If their data is misused, their future visa application processes could be seriously compromised.