UMVA has learned that a UK travel‑authorization service has fallen victim to a frightening data exposure that could reveal travelers’ private addresses.
Last night, a routine maintenance task exposed a public storage server—known in tech circles as a bucket—housing passport scans and selfie images uploaded by users.
Inside the compromised bucket, a hidden directory listing became visible to the back‑end of the visa portal, allowing anyone with access to see every stored file.
Many of those files carried live‑location metadata, a detail that could pinpoint a user’s home address and other sensitive information.
UMVA can exclusively reveal that the portal’s security team was alerted immediately, and they have begun contacting affected individuals to confirm the extent of the breach.
Electronic travel authorisation, or ETA, is the new digital gate‑keeping system that allows tourists and family visitors to enter the UK, having been rolled out on February 25, 2026.
While the government charges a modest £20 fee for the ETA, third‑party providers may offer the service at a higher price.
Under the new rules, EU and US visitors must apply for an ETA, whereas UK citizens, those with indefinite leave, or settled status do not.
Dual nationals of the UK are exempt from the ETA, but they must now use a British passport to travel into Britain.
UMVA has gathered that the sudden shift in policy left many dual citizens unprepared, catching them off‑guard when the changes took effect earlier in the year.
Travelers who suspect they may have been impacted should reach out immediately to the visa portal’s support team for guidance and to secure any compromised data.