Hotel glitch exposed 1M passports and driver’s licenses

A security failure in a hotel check-in system has exposed over one million passports, driver’s licenses, and selfie verification photos to the open internet. The data was taken offline after TechCrunch notified the company responsible for the lapse.

The system in question, called Tabiq, is developed by Reqrea, a Japan-based tech startup. According to the company’s website, Tabiq is deployed in multiple hotels across Japan and relies on facial recognition and document scanning to process guest check-ins.

Independent security researcher Anurag Sen contacted TechCrunch earlier this week after discovering the leak. Sen explained that the startup had configured one of its Amazon cloud-hosted storage buckets , used by the check-in system to store customer data , to be publicly accessible. Anyone with a web browser could view the contents without a password, simply by knowing the bucket name: “tabiq.”

Sen reached out to TechCrunch to help notify the company. After TechCrunch contacted both Reqrea and Japan’s cybersecurity coordination team, JPCERT, the company locked down the storage bucket.

This incident highlights a persistent issue: companies exposing sensitive customer data not through sophisticated cyberattacks, but by neglecting basic cybersecurity practices. While much attention focuses on AI-discovered vulnerabilities and new security tools, many significant breaches still result from human error, misconfigurations, or a failure to follow established protocols.

In an email acknowledging the exposure, Reqrea director Masataka Hashimoto told TechCrunch: “We are conducting a thorough review with the support of external legal counsel and other advisors to determine the full scope of exposure.”

Reqrea stated it is unclear how the storage bucket became public. By default, Amazon’s cloud storage buckets are private. Following a wave of similar exposures a few years ago, Amazon added multiple warning prompts before data can be made public, making this kind of mistake increasingly difficult to occur accidentally.

Hashimoto said the company plans to notify affected individuals once its investigation is complete.

It remains unknown whether anyone besides Sen accessed the exposed data before it was secured. Hashimoto noted that the company is reviewing its logs to check for any unauthorized access prior to securing the bucket.

Details of the exposed bucket were also captured by GrayHatWarfare, a searchable database that indexes publicly visible cloud storage. The bucket contained files dating from early 2020 through this month, including identity documents from visitors around the world.

This hotel check-in system lapse follows other incidents involving sensitive government-issued documents. Earlier this year, TechCrunch reported on the exposure of driver’s licenses, passports, and other identity documents uploaded by customers of money transfer service Duc App. A data breach at car rental service Hertz last year resulted in hackers obtaining driver’s license information from at least 100,000 customers.

These incidents come as governments increasingly implement age verification laws and private businesses adopt “know your customer” checks to verify identities. Both practices require adults to upload sensitive documents to third-party companies for verification, despite criticism from cybersecurity experts. Data lapses can leave victims at greater risk of identity fraud or having their likeness misused as age verification requirements expand globally.