A hotel check-in platform in Japan accidentally exposed more than 1 million passports, driver’s licenses, and selfie verification photos when its cloud storage was left open.
The records came from Tabiq, a digital check-in system by the startup Reqrea. This is a major security lapse affecting identity documents uploaded by hotel guests worldwide.
Many hotels in Japan use Tabiq, which checks guests in with facial recognition and document scanning. The system verifies guests this way, making the exposure more serious because it involved documents people use to prove their identity.
Researcher found an exposed Amazon bucket
Independent security researcher Anurag Sen found the exposure and told TechCrunch that one of Reqrea’s Amazon cloud storage buckets was set to public access.
TechCrunch reported that anyone who knew the bucket name, “tabiq,” could view the files in a web browser without a password.
NDTV also said the data was accessible without special credentials because the storage was public.
Sen asked TechCrunch to help notify the company. Reqrea secured the storage bucket after TechCrunch contacted both the startup and Japan’s cybersecurity team, JPCERT.
The files were secured after the company was alerted, but it is still unclear how long the documents were online.
Passports, licenses and selfie images were exposed
The exposed data included passports, driver’s licenses, and selfie verification photos. These documents usually contain personal details like names, addresses, birth dates, passport numbers, and photos, which raises serious risks of identity theft and fraud.
The exposed files included visitors from many countries, and the bucket listing, captured by GrayHatWarfare, contained files from early 2020 up to this month. This suggests the exposure may have involved years of check-in records, not just recent uploads.
Reqrea says it is reviewing the scope
Reqrea director Masataka Hashimoto shared that the company is reviewing the exposure with external legal counsel and advisers to determine its full scope. He said Reqrea does not yet know how the bucket became public and plans to notify affected individuals after the investigation is finished.
It is still unclear if anyone besides Sen accessed the data before the bucket was secured. Reqrea is reviewing logs to find out if there was any unauthorized access before the storage bucket was locked.
A familiar cloud security failure
This incident shows a recurring cybersecurity problem: sensitive personal data exposed not by a complex hack, but by a misconfigured cloud storage bucket.
Amazon storage buckets are private by default and that Amazon added warning prompts after earlier waves of exposed customer buckets, making these lapses harder to excuse as simple accidents.
The breach comes as hotels, financial services, age-verification systems, and other businesses are asking more users to upload identity documents online.
Data lapses involving passports, licenses, and selfies can increase the risk of identity fraud or misuse of a person’s likeness. The incident has renewed concerns about facial recognition and digital identity systems in hospitality.
