UK Visa Portal spilled thousands of applicants’ passports and selfies online — and hasn’t fixed the leak

A UK visa application portal operated by a third-party contractor exposed thousands of applicants' passport scans and selfies online, leaving sensitive biometric data accessible to the public. The company running the system discovered the breach but responded by sending legal threats rather than securing the exposed information, according to TechCrunch reporting.

The leak occurred through an unsecured endpoint on the visa portal's website, which stored identity documents without proper access controls. Applicants submitting UK visa applications uploaded their passport photos and facial recognition images to the platform as part of standard processing requirements. These files remained publicly viewable for an extended period.

When security researchers or applicants flagged the exposure, the company's response prioritized legal action over remediation. Instead of immediately taking down the leaked data or implementing access restrictions, attorneys sent cease-and-desist letters, treating disclosure as a threat rather than a critical security issue.

The breach raises serious questions about third-party security in government immigration systems. The UK Home Office outsources visa portal operations to private contractors, creating dependency on external companies to safeguard biometric data at scale. This incident demonstrates the risks when contractors prioritize legal liability over user protection.

Passport and biometric data constitute some of the most sensitive personal information. Leaked selfies and passport scans enable identity theft, fraud, and surveillance abuse. The exposed applicants faced potential compromise of their identities while navigating already complex visa processes.

The company's handling of the disclosure reflects a troubling pattern in tech security. Rather than following responsible disclosure practices—fixing vulnerabilities quickly and notifying affected users—the contractor weaponized legal authority to suppress awareness of the problem. This approach delays fixes, compounds exposure periods, and erodes trust in systems handling critical government functions.

The UK Home Office faces pressure to audit third-party vendor security practices and establish clearer breach response protocols. Government contractors handling biometric data should face mandatory