Hotel Check-in System Exposed Over a Million Passports and Driver's Licenses

A significant security lapse in a Japanese hotel check-in system, Tabiq, maintained by the tech startup Reqrea, exposed over one million sensitive customer documents to the open web. This trove of personal information included passports, driver's licenses, and selfie verification photos from guests worldwide. The data, which was publicly accessible without a password, has since been taken offline after TechCrunch alerted the company responsible. The vulnerability was first discovered by independent security researcher Anurag Sen, who contacted TechCrunch earlier this week. Sen found that Reqrea had configured one of its Amazon cloud-hosted storage buckets, used by the Tabiq system to store customer data, to be publicly accessible. Anyone with knowledge of the bucket's name, "tabiq," could view its contents directly through a web browser, bypassing any security authentication. Sen's motivation was to help notify the company and mitigate the potential damage. Following TechCrunch's outreach to both Reqrea and Japan's cybersecurity coordination team, JPCERT, the startup promptly locked down the exposed storage bucket. Masataka Hashimoto, a director at Reqrea, acknowledged the exposure in an email to TechCrunch, stating, "We are conducting a thorough review with the support of external legal counsel and other advisors to determine the full scope of exposure." The company also plans to notify affected individuals once its investigation is complete. This incident serves as a stark reminder of a persistent problem in cybersecurity: companies frequently expose sensitive customer data not through sophisticated hacking attempts, but due to fundamental failures in basic security practices. Despite Amazon's default private settings for its cloud storage buckets and the implementation of multiple warning prompts to prevent accidental public exposure, such lapses continue to occur, often stemming from human error or misconfigurations. The exposed bucket's details were even indexed by GrayHatWarfare, a searchable database for publicly visible cloud storage, indicating its long-term accessibility. The full extent of the breach remains unclear, particularly whether any unauthorized parties other than Sen accessed the data before it was secured. Reqrea is currently reviewing its logs to ascertain this. This incident is not isolated; it follows other recent exposures of government-issued documents, such as those involving the money transfer service Duc App and the car rental giant Hertz. With governments increasingly implementing age-verification laws and businesses adopting "know your customer" (KYC) checks, the reliance on third-party systems for identity verification is growing, making these basic security failures a significant risk for identity fraud and misuse of personal likeness.