A hotel check-in system left a million passports and driver’s licenses open for anyone to see

A significant security breach has revealed that a hotel check-in system inadvertently exposed more than one million customer passports, driver’s licenses, and verification selfies online. The data leak, which affected multiple hotel guests globally, was brought to light by TechCrunch after being alerted by independent security researcher Anurag Sen. The system in question, known as Tabiq, is operated by the Japanese tech startup Reqrea, which utilizes facial recognition and document scanning technology to streamline guest check-ins at various hotels in Japan. Sen uncovered that the breach occurred when Reqrea configured an Amazon cloud storage bucket—used to store sensitive guest data—as publicly accessible. This misconfiguration meant anyone with the bucket's name could access the documents without needing a password. Upon notification from TechCrunch, Reqrea swiftly secured the compromised storage bucket. The incident highlights a troubling trend in cybersecurity, where companies often expose sensitive data not through advanced hacking tactics but rather due to fundamental lapses in security protocols. Despite advancements in AI-driven security measures, many breaches stem from human error or negligence. In a communication with TechCrunch, Reqrea's director Masataka Hashimoto acknowledged the situation and stated that the company is undertaking a comprehensive review with external legal guidance to ascertain the full extent of the breach. He noted that they are also investigating how the storage bucket was set to public access, as Amazon's cloud storage is private by default. The exposed data included files dating back to early 2020 and raised concerns about identity theft and misuse, especially as governments and businesses increase their reliance on sensitive document verification for age and identity checks. Past incidents, such as a data breach involving the Duc App and a security lapse at Hertz affecting over 100,000 customers, further emphasize the growing risks associated with mishandling personal information. Reqrea has committed to notifying affected individuals once their investigation is completed, although it remains uncertain if anyone other than Sen accessed the exposed data before it was secured.