A hotel check-in system left a million passports and driver’s licenses open for anyone to see

2026-05-15 · Source: TechCrunch · Field: Technology & Digital — Cybersecurity & Data Privacy, Cloud Computing & IT Infrastructure · Depth: Fundamental Awareness, quick

Summary

The Tabiq hotel check-in system, developed by Japan-based startup Reqrea, exposed over 1 million customer passports, driver's licenses, and selfie verification photos online due to a misconfigured Amazon S3 storage bucket. Independent security researcher Anurag Sen discovered the publicly accessible bucket, named "tabiq," which allowed anyone with a web browser to view sensitive documents dating from early 2020 to the present. TechCrunch notified Reqrea and Japan's cybersecurity coordination team, JPCERT, leading to the data being secured. Reqrea director Masataka Hashimoto stated the company is investigating the full scope of exposure with legal counsel and plans to notify affected individuals, though it remains unclear how the default-private bucket became public or if unauthorized parties accessed the data.

Key takeaway

For CTOs and VPs of Engineering overseeing cloud infrastructure, this incident highlights the critical need for rigorous configuration management and continuous auditing of cloud storage permissions. Your teams must implement automated checks and strict access controls to prevent human error from exposing sensitive customer data, especially with identity verification systems. Proactive security measures are essential to mitigate risks of identity fraud and regulatory non-compliance.

Key insights

Basic cybersecurity misconfigurations, not sophisticated attacks, frequently cause significant data exposure incidents.

Principles

• Cloud storage defaults to private for security.
• Human error often causes data breaches.

In practice

• Regularly audit cloud storage bucket permissions.
• Implement multi-factor authentication for cloud access.

Topics

• Tabiq System
• Reqrea
• Amazon S3 Misconfiguration
• Customer Data Exposure
• Identity Verification

Best for: CTO, VP of Engineering/Data, Executive, Security Engineer, IT Professional, Tech Journalist

Related on AIssential

• Article: Designing Continuous Authorization for Sensitive Cloud Systems — Continuous authorization evaluates real-time risk for every sensitive data operation, moving beyond static login-time permissions.
• Human Verification Tools Help Make Smarter Data-Driven Decisions — Authenticating human interaction is critical for reliable data-driven decisions amidst pervasive AI and bot activity.
• Delve accused of misleading customers with ‘fake compliance’ — Allegations suggest a compliance automation platform may be enabling "structural fraud" by generating fake evidence and pre-approving audits.
• Meta Pauses Employee Monitoring Tool After Internal Data Exposure — Internal employee monitoring tools pose significant data security risks if not rigorously protected.
• Klue hack results in data breach at several cybersecurity firms — Compromised credentials targeting middleware providers enable widespread data breaches, posing a critical supply chain security risk.
• Cloudskill — Websites employ security services to protect against malicious bots.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by TechCrunch.