(UNITED KINGDOM) — A third-party website called UK Visa Portal exposed at least 100,000 passport scans, selfie images, and photo metadata after a publicly accessible Amazon S3 storage bucket left applicants’ records open online, according to reporting published in late May and statements attributed to the UK Home Office.

The breach did not involve the official UK government visa system. The exposed site, ukvisaportal.com, presented itself in a way that could lead applicants to believe it was connected to the government’s visa and Electronic Travel Authorization process. The UK Home Office said third-party visa assistance sites are unaffiliated and urged applicants to use the official GOV.UK service instead.

Reports on the incident said the exposed files included high-resolution passport images and selfie photographs submitted for identity checks. In many cases, the image files also contained embedded GPS metadata. That data may reveal where a photo was taken and, in some cases, a home address or other precise location information. Combined with passport numbers and facial images, that creates a serious identity theft and fraud risk.

The reported cause was a misconfigured Amazon S3 bucket tied to the UK Visa Portal site, along with a backend flaw that allowed outside parties to view a broader file listing. Publicly exposed cloud storage has become a recurring fact pattern in privacy enforcement because access failures often turn ordinary document collection into a large-scale data breach with cross-border consequences.

Corporate records and reporting identified the operator as Active Leadgen LLC, a company registered in the United Arab Emirates. Journalists who attempted to alert the company said they did not first receive a direct technical response from management. Instead, they were contacted by the U.S. law firm BakerHostetler and the consulting firm FTI Consulting, which sought information about the reporting. That sequence drew criticism from cybersecurity specialists who said immediate containment and notice should have taken priority.

As of May 28, 2026, neither USCIS nor the Department of Homeland Security had issued any press release or formal statement about this incident. That is consistent with the site’s subject matter. The breach concerns a private service tied to UK travel authorization applications, not a U.S. immigration filing under the INA or a USCIS benefit request. USCIS has, however, long warned applicants to avoid unofficial immigration services and scam sites.

Legal exposure may extend across several jurisdictions. In the UK, the Information Commissioner’s Office may examine whether personal data was handled lawfully and secured adequately under domestic privacy rules. In other countries, affected applicants may also have claims or reporting rights under national breach-notification, consumer protection, or identity-theft laws. Jurisdiction will likely depend on where the applicant lived, where the operator processed data, and what contractual disclosures, if any, the site presented.

The legal significance goes beyond overcharging. A passport copy, facial image, and address data may support account takeovers, synthetic identity fraud, fraudulent travel bookings, and document misuse. If minors’ records were included, regulators may examine whether the operator applied heightened safeguards. If the site marketed itself in a way that implied official status, consumer protection authorities may also review whether applicants were misled at the point of payment and data collection.

The Home Office, as quoted by BBC News, said it was aware of reports involving a third-party visa assistance website and stated that the site was not an official government service. That distinction matters. Applicants who submitted documents through a private portal may not receive the protections, disclosures, or support channels they expected from a government system. It also complicates notice, remediation, and any later dispute over where data went.

Anyone who used the site should treat the passport as potentially compromised. Monitor credit reports and bank activity, enable multi-factor authentication on email, financial, and travel accounts, and keep copies of any confirmation emails or payment records from the portal. A report to the national passport authority may be appropriate if the issuing country has a process for compromised travel documents. Complaints may also be filed with the UK Information Commissioner’s Office. General scam prevention guidance is available from [USCIS](https://www.uscis.gov/avoid-scams), even though this incident sits outside U.S. immigration adjudications.

People facing urgent travel or immigration deadlines should use only official government portals and may wish to speak with qualified counsel if a compromised passport or identity record affects visa processing, boarding, or inspection issues. Lawyer referral resources include the [AILA Lawyer Referral](https://www.aila.org/find-a-lawyer) service and the Immigration Advocates Network.

⚖️ Legal Disclaimer: This article provides general information about immigration law and is not legal advice. Consult a qualified immigration attorney for advice about your specific situation.