Fake UK Visa Service Exposes 100,000 Passports and Selfies via Public AWS Bucket
What Happened — A third‑party visa‑application website operated by Active Leadgen LLC (UAE‑registered) stored uploaded passport scans and selfie photos on an Amazon S3 bucket that was publicly reachable. The bucket did not list its contents, but anyone who guessed the object URLs could download the files, exposing at least 100,000 personal documents.
Why It Matters for TPRM —
- Direct exposure of government‑issued IDs, facial images and GPS‑tagged location data creates a massive identity‑theft vector.
- The breach stems from a cloud‑storage misconfiguration, highlighting the need for strict third‑party cloud‑security controls.
- Vendor’s poor incident‑response (lawyers instead of remediation) signals governance and communication gaps.
Who Is Affected — Travelers applying for UK electronic travel authorizations; the broader public whose passports were processed through the fraudulent portal.
Recommended Actions —
- Immediately verify that the vendor has secured or removed the exposed S3 bucket and deleted all compromised files.
- Conduct a focused risk assessment on any downstream services that may have ingested the data.
- Notify affected individuals per applicable data‑protection regulations and offer identity‑theft protection services.
- Re‑evaluate third‑party due‑diligence processes, emphasizing cloud‑configuration reviews and incident‑response capabilities.
Technical Notes — The vulnerability was a classic S3 bucket misconfiguration (public read access without proper authentication). No CVE is associated. Exposed data included passport numbers, scanned passport pages, selfie photos with embedded GPS coordinates, and metadata linking the two. Source: Security Affairs