Thousands of people applying for UK travel authorisations may have had highly sensitive personal information exposed after a third-party visa website reportedly left documents publicly accessible on the internet.
According to reports, the website “UK Visa Portal” stored customer files in an unsecured cloud storage system without password protection.
Researchers claim more than 100,000 documents may have been accessible, including passports, selfies, contact details and other identity documents.
The website is not part of the official UK government visa or Electronic Travel Authorisation (ETA) system.
What information was reportedly exposed?
Reports suggest the exposed files included:
- Passport scans
- Verification selfies and photographs
- Full names
- Dates of birth
- Passport numbers
- Nationalities
- Home addresses
- Email addresses
- Telephone numbers
- Passport issue and expiry dates
Researchers also reportedly found that the storage system used predictable web links, meaning files may have been easier to access than they should have been.
Why this type of data breach is serious
Passport information is among the most sensitive forms of personal data. Unlike a password, you cannot simply change your date of birth or passport history if that information is exposed.
When identity documents, photographs and contact details are leaked together, criminals may attempt to use the information for:
- Identity theft
- Fraudulent financial applications
- Phishing scams
- Account takeovers
- Social engineering attacks
Even if there is no evidence that data has been accessed or misused yet, exposed identity documents can remain valuable to cybercriminals for years.
Confusion around unofficial visa websites
One of the concerns raised by this incident is that some users may not have realised they were using a third-party service rather than an official government platform.
Many unofficial visa and travel authorisation websites appear prominently in search results and can look similar to official services. In some cases, they charge additional processing fees on top of government application costs.
The UK government currently offers its own ETA application process directly through official GOV.UK channels.
What should affected individuals do?
Anyone who used the website may wish to take precautionary steps, including:
- Monitoring bank and credit accounts for suspicious activity
- Being cautious of phishing emails, texts or phone calls
- Using strong passwords and multi-factor authentication
- Watching for unexpected identity verification requests
- Checking whether their passport or identity details appear in future scam attempts
If organisations hold personal data and suffer a breach, UK data protection laws may require them to notify affected individuals where there is a risk to people’s rights and freedoms.
At the time of writing, it is unclear whether all potentially affected users had been contacted.
Data breaches and consumer rights
Large-scale data breaches are becoming increasingly common.
Research suggests 4.4 million UK accounts were exposed in just the first three months of 2026, pushing the long-term total to over 33 million compromised accounts.
While not every data breach automatically leads to compensation, individuals may have legal rights where poor security practices expose personal data and cause financial loss, distress or misuse of private information.
We are keeping an eye on this developing situation and will provide more updates if needed.
Join the Claim connects consumers with SRA-regulated lawyers. Keep an eye out for updates on any potential claim and possible eligibility checks/registration opportunities.
