The breach occurred on a website run on behalf of UKVisas, the joint Home Office and Foreign & Commonwealth Office directorate responsible for visa processing. The site was run by VSF Global, a commercial partner based in India, and the security breach meant that the personal data of people applying for visas to enter the UK was visible to others visiting the website.
The Information Commissioner's Office was alerted to the breach in May. It said that the FCO cooperated fully with its investigation, and the sites were closed immediately.
As a result, the FCO is now required to sign a formal undertaking to comply with the principles of the Data Protection Act. If there is a failure to meet the terms of the undertaking, the ICO can take further action.
Mick Gorrill, assistant commissioner at the ICO, said: "Organisations have a duty under the Data Protection Act to keep our personal information secure.
"If organisations fail to take this responsibility seriously, they not only leave individuals vulnerable to identity theft but risk losing individuals' confidence and trust. We investigate any organisation in breach of the act and will not hesitate to take appropriate action."
UKVisas has already issued a statement saying that the VFS online application websites would not be reopened, and would be replaced by visa4UK. It also pledged to undertake a review of data processing to strengthen its risk management processes, and a detailed audit of the data processors' data security procedures.