UK Visa Portal exposed at least 100,000 passports and selfie photos through a misconfigured Amazon S3 bucket, potentially violating UK GDPR Article 33 and US state breach notification statutes. When TechCrunch reported the lapse, the company skipped the patch and called BakerHostetler.
The bucket wasn’t publicly listed, but files were accessible to anyone with a direct URL, and a backend bug allowed enumeration of the full contents. Many photos embedded GPS coordinates precise enough to pinpoint a user’s home address.
UK Visa Portal, also operating as UK Visit and ETA-Pass, isn’t affiliated with the UK government. Applicants can obtain an electronic travel authorization directly at GOV.UK for £20, no intermediary required. Some users apparently paid this service’s fees by mistake.
BakerHostetler partner Ryan Christian and PR firm FTI Consulting contacted TechCrunch on the company’s behalf. The attorneys wouldn’t confirm authorization to speak for the company, and manager Michael Taylor never replied. The bucket was secured only after TechCrunch published its investigation.
The company, allegedly run by Active Leadgen LLC out of the UAE, still hasn’t notified affected users or regulators. Under UK GDPR Article 33, controllers must report a notifiable breach to the ICO within 72 hours of becoming aware of it. That window closed.
Third-party portals mimicking government visa services are a recurring enforcement target, and the ICO has the tools for it: civil monetary penalties up to £17.5 million or 4% of global annual turnover, mandatory notification, and compulsory audits. Active Leadgen LLC’s UAE address doesn’t shield it; UK GDPR follows the data, not the server room.
Christian hasn’t responded to TechCrunch’s follow-up questions. The ICO notification clock ran out days ago.
— James Okafor