A Fake Government Site Is Leaking Your Most Sensitive Documents

If you paid a website called UK Visa Portal to help with a UK immigration application, your passport and face are probably sitting on a public server right now.

TechCrunch security editor Zack Whittaker broke this story on May 26, 2026, after receiving a tip from an anonymous source. The tip was right. TechCrunch confirmed the leak is real by directly contacting affected individuals and verifying their exposed data.

At least 100,000 documents are publicly exposed. Passport scans. Selfie photos. The kind of biometric data that, once stolen, you cannot change.

This Company Is NOT the UK Government

UK Visa Portal has NO affiliation with the British government. NONE.

The official route for a UK Electronic Travel Authorisation costs £20 and runs through GOV.UK. The Home Office started enforcing ETA requirements for non-visa nationals on February 25, 2025, according to Prism News. That rollout created confusion — and predatory third-party sites stepped into the gap.

Some applicants believed they were using an official or government-linked service. They paid real money. They uploaded their passports. They uploaded their faces. And they got nothing but a data breach in return.

The Company Won't Talk. The Leak Won't Close.

UK Visa Portal has NO security reporting mechanism on its website. No named management. No direct contact for accountability. When TechCrunch emailed the only address listed on the site to report the breach responsibly, they heard back from purported attorneys and a public relations firm — not management.

TechCrunch explained they couldn't share specific vulnerability details with a generic support inbox, for obvious reasons. They asked to be connected directly with the company's leadership. As of the reporting date, management never responded.

The leak is still open.

What Criminals Can Do With This Data

Passport scans plus selfie photos is a dangerous combination. Prism News laid it out plainly: this package is usable for fraud, impersonation, and identity theft that can follow a victim for years. You can change your bank account number. You cannot change your face.

The Information Commissioner's Office — the UK's data protection regulator — requires qualifying personal data breaches to be reported within 72 hours of awareness, according to Prism News. Affected individuals must be notified without undue delay when the risk is high.

A company sitting on 100,000 passport scans and selfies, with a known active breach, hasn't notified anyone. This constitutes a regulatory violation with real human consequences.

This Isn't an Isolated Problem

The same week this story broke, The Guardian reported a separate passport data crisis. Eurail — the Dutch company behind Interrail rail passes — was hacked in December, exposing personal data including passport numbers, names, phone numbers, addresses, and dates of birth for more than 300,000 European travelers.

This week, Eurail told customers that the stolen data is now being offered for sale on the dark web, with a sample dataset already published on Telegram.

The UK Passport Office told at least one affected Eurail customer they needed to cancel their passport entirely to prevent fraudulent use — and pay the full £102 replacement fee themselves. A customer in Denmark faces a replacement cost exceeding £200.

"It's an absolute nightmare," one victim told The Guardian, requesting anonymity. "Do I really need to spend my money doing all this? If the official advice is to get a new passport, there does need to be some sort of compensation."

No one is offering compensation. Of course they're not.

What Coverage Is Missing

Much reporting frames this as a pure cybersecurity item — a technical breach, a company that messed up, the end. The story runs deeper.

This is also a consumer protection failure and a government communication failure. The UK government's ETA rollout created demand. Predatory lookalike sites filled the void. The government did not warn applicants clearly enough that third-party services were unnecessary and potentially dangerous.

The ICO's 72-hour reporting requirement sounds robust on paper. But if a company has no named management and routes all contact through PR firms and lawyers, that rule has zero teeth. The regulatory framework assumes a functioning compliance structure exists. Here, it clearly doesn't.

What You Need to Do Right Now

If you used UK Visa Portal at any point, assume your documents are compromised.

• Contact your passport-issuing authority about the risk to your document.
• Monitor your financial accounts and credit reports for unusual activity.
• Do NOT use third-party visa assistance websites unless you are working with a licensed immigration attorney.
• The official UK ETA application is at GOV.UK. That's the only place it should be done.

You were trying to follow the rules and enter a country legally. You got burned for it. That's on the company that built a trap and on a regulatory environment that let it operate.

Someone needs to shut this site down.