A third-party UK visa application site, not affiliated with the British government, exposed at least 100,000 passports and selfies on a public AWS server. Operated by Active Leadgen LLC, the site charged fees for electronic travel authorizations, which could be obtained for free through the official GOV.UK site. The security breach was uncovered by TechCrunch, which managed to confirm the exposure by contacting affected individuals.
Details included sensitive personal information, such as GPS coordinates in selfies, raising significant identity theft concerns. Despite attempts to notify the site, the response from the company was inadequate, involving only legal representatives instead of addressing the breach directly. The data exposure was secured following the reporting, but questions about the duration of the exposure and the responsibility for cybersecurity remained unanswered.