A hotel check-in system left a million passports and driver’s licenses open for anyone to see

A Japanese hotel check-in system called Tabiq, operated by Reqrea, exposed over one million passports, driver’s licenses, and selfie verification photos online due to a security misconfiguration. The data is now offline after TechCrunch alerted the company, marking a significant cybersecurity lapse that could impact thousands of international travelers.

Independent security researcher Anurag Sen discovered that Reqrea had set its Amazon cloud storage bucket, used to store guest data, to be publicly accessible. This allowed anyone with knowledge of the bucket name, ‘tabiq,’ to view sensitive documents without authentication. The exposed data included identity documents from guests worldwide, dating back to early 2020, and was accessible until the company secured the bucket following TechCrunch’s intervention.

Reqrea confirmed that the data was made accessible due to a misconfiguration, and the company has since taken steps to lock down the storage. The firm is conducting an internal review with external legal counsel to determine the full scope of the exposure. It remains unclear whether any unauthorized access occurred before the data was secured, as the company is reviewing its logs. The incident was also documented by GrayHatWarfare, a database that indexes publicly visible cloud storage, confirming the extent of the leak.

Why It Matters

This incident underscores the persistent cybersecurity risks posed by human error and misconfigurations, especially in systems handling sensitive personal data. It highlights the importance of proper cloud security practices, particularly for companies managing personal identification documents. The exposure of such data increases risks of identity theft and fraud, especially as governments and private sectors rely more on digital identity verification processes.

HERO Neck Wallet – RFID Blocking Passport Holder, Easy to Conceal Travel Pouch (Army Grey)

LIFETIME REPLACEMENT GUARANTEE – We individually test every HERO Neck Wallet in the USA before shipping. And every…

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Background

This is not the first incident involving sensitive personal data being exposed due to security lapses. Earlier this year, TechCrunch reported on the leak of driver’s licenses and passports from the money transfer app Duc, and last year, Hertz experienced a breach that compromised the driver’s license data of over 100,000 customers. These incidents occur amid rising use of digital verification processes, which are increasingly targeted by cyber threats. Amazon’s cloud platform has taken steps to prevent such misconfigurations, but human error remains a common vulnerability.

“The data was accessible to anyone with just the bucket name, which is a serious security oversight.”

— Anurag Sen, security researcher

“We are conducting a thorough review with external legal counsel to determine the full scope of exposure.”

— Masataka Hashimoto, Reqrea director

SaiTech IT 5 Pack RFID Blocking Card, One Card Protects Entire Wallet Purse, NFC Contactless Bank Debit Credit Card Protector ID ATM Guard Card Blocker–(Black)

SECURE YOUR WALLET FROM e-PICKPOCKETING: Prevent potential identity and financial theft through your contactless cards. Don’t become a…

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

What Remains Unclear

It is still unclear whether any malicious actors accessed or downloaded the data before it was secured. The company is reviewing logs to determine if there was any unauthorized access prior to lockdown. The full extent of affected individuals has not yet been disclosed, and the timeline of the exposure remains uncertain.

USB Card Reader Adapter for Secure Digital Identity Verification & Multi Format Memory Compatibility

【Wide Compatibility】 – This card reader supports a variety of operating systems from 98 the way through to…

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

What’s Next

Reqrea is expected to notify affected individuals once its investigation concludes. The company will likely implement additional security measures to prevent future misconfigurations. Regulatory authorities may also scrutinize the incident, potentially leading to further investigation or penalties.

DocSafe Document Bag with Lock,Fireproof 3-Layer File Storage Case with Water-Resistant Zipper,Document Safe Portable Travel Home Organizer Bag for Laptop,Files,Certificates,Gifts for Him,Black

Fireproof and water-resistant safe: Fireproof file storage bag is made of double layered non-itchy silicone coated fiberglass which…

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

How did the data leak happen?

The leak occurred because the company’s Amazon cloud storage bucket was misconfigured to be publicly accessible, allowing anyone to view the stored documents without authentication.

What types of documents were exposed?

The exposed documents included passports, driver’s licenses, and selfie verification photos of hotel guests from around the world.

Are the affected individuals at risk now?

Potential risks include identity theft and fraud, but there is no evidence that malicious actors accessed the data before it was secured. The company is investigating further.

Has the data been secured now?

Yes, the company has locked down the cloud storage bucket following the discovery and alert from TechCrunch.

Will the company notify those affected?

Reqrea has stated it plans to notify affected individuals once its investigation is complete.