UK Visa Portal exposed thousands of applicants’ passports and selfies — then called the lawyers on us

A third-party website used in the U.K. visa application process exposed sensitive applicant data, including passports, selfies, and location information. After being notified, the site reportedly responded by involving lawyers rather than immediately addressing the security flaw.

The incident highlights the risks governments face when outsourcing sensitive identity workflows to external vendors. It also reflects a troubling pattern where organizations treat vulnerability reporting as a legal threat instead of an opportunity to improve data protection.

The third-party website exposed passports, selfies, and the location data of applicants who submitted their documents as part of the U.K. visa application process. Instead of fixing the issue, the website sent attorneys.