A hotel check-in system left a million passports and driver’s licenses open for anyone to see

A hotel check-in system used across several Japanese hotels left over one million passports, driver’s licenses, and selfie verification photos accessible to anyone online. The breach was discovered by security researcher Anurag Sen and has now been fixed after TechCrunch alerted the company. This incident underscores the persistent cybersecurity risks posed by simple misconfigurations of cloud storage.

The system, called Tabiq and maintained by Japan-based startup Reqrea, stores sensitive guest data in an Amazon cloud storage bucket that was publicly accessible. The exposed data includes identity documents from guests worldwide, dating back to 2020, and was viewable without passwords, merely by knowing the bucket name “tabiq.”

Reqrea confirmed that the storage bucket was set to public in error and has since taken it offline. The company’s director, Masataka Hashimoto, stated they are conducting a full review with external legal counsel to determine the scope of the exposure and plan to notify affected individuals once the investigation concludes. It remains unclear if any unauthorized access occurred before the data was secured.

Why It Matters

This incident highlights the ongoing vulnerabilities caused by human error and misconfigurations in cybersecurity, especially concerning the handling of sensitive personal data. It raises concerns about the security of identity verification processes used in hospitality and other sectors, where large volumes of personal documents are uploaded and stored.

With governments and private companies increasingly relying on identity documents for age and identity verification, such lapses could put millions at risk of identity theft, fraud, or misuse of biometric data. The incident also underscores the importance of proper cloud security practices to prevent exposure of sensitive information.

Background

Similar data breaches have occurred recently, including the exposure of driver’s licenses and passports through various services like Duc App and Hertz. Amazon’s cloud platform has implemented safeguards to prevent accidental exposure, but human error remains a common cause of such leaks. The Tabiq breach adds to a series of incidents illustrating the vulnerabilities in handling personal data in the digital age.

“We are conducting a thorough review with the support of external legal counsel and other advisors to determine the full scope of exposure.”

— Masataka Hashimoto, Reqrea director

“The data was accessible simply by knowing the bucket name, without any passwords or authentication.”

— Anurag Sen, security researcher

What Remains Unclear

It is not yet clear whether any malicious actors accessed or downloaded the data before it was secured. The company is reviewing logs to determine if there was any unauthorized activity prior to the fix. Details of the full scope of the breach remain under investigation.

What’s Next

Reqrea is expected to complete its investigation and notify affected individuals. The company may implement additional security measures and review their data handling policies. Further updates are anticipated as more details emerge about the incident’s scope and impact.

Key Questions

How did the data leak happen?

The leak occurred because Reqrea set its Amazon cloud storage bucket to be publicly accessible, which allowed anyone with the bucket name to view the data.

What types of documents were exposed?

Passenger passports, driver’s licenses, and selfie verification photos from hotel guests worldwide.

Has the data been secured?

Yes, after TechCrunch alerted the company, Reqrea immediately took the storage bucket offline and secured the data.

Will affected individuals be notified?

Reqrea has stated that it plans to notify affected individuals once its investigation is complete.

Could this happen again?

While the company has taken steps to fix the current lapse, the incident underscores the importance of strict cybersecurity practices to prevent future misconfigurations.