UK Visa Portal — ~100,000 passport scans and selfies on a public-read S3 bucket behind a government-lookalike site

TechCrunch found ~100,000 passport scans and applicant selfies exposed on a public-read Amazon S3 bucket used by "UK Visa Portal," a site not affiliated with the UK government that some applicants mistook for the official GOV.UK service; the leak was unfixed at time of reporting (2026-05-29). The defender double-lesson: the technical failure is the oldest cloud-storage misconfiguration in the book (object-level public read on a sensitive bucket), and the social failure is the government-service-lookalike that harvested real identity documents from people who believed they were on an official portal — a brand-protection and citizen-awareness problem for the genuine public-sector body whose service is being impersonated. CH/EU public bodies should monitor for lookalike service domains and re-confirm that no applicant-document storage is world-readable.