Scams & Phishing News A hotel check-in system left a million passports and driver’s licenses open for anyone to see

Brownie2019

Brownie2019

Level 23
Thread author
Verified
Well-known
Forum Veteran
Mar 9, 2019
982
4,976
2,168
Germany
Content source
https://techcrunch.com/2026/05/15/a-hotel-check-in-system-left-a-million-passports-and-drivers-licenses-open-for-anyone-to-see/
A hotel check-in system left more than 1 million customer passports, driver’s licenses, and selfie verification photos to the open web after a security lapse. The data is now offline after TechCrunch alerted the company responsible.

The hotel check-in system, called Tabiq, is maintained by the Japan-based tech startup Reqrea. According to its website, Tabiq is used in several hotels across Japan and relies on facial recognition and document scanning to check guests in.

Independent security researcher Anurag Sen contacted TechCrunch earlier this week after discovering that the system was leaking the sensitive documents of hotel guests from around the world. Sen said this was because the startup set one of its Amazon cloud-hosted storage buckets, which the check-in system uses to store customer data, to be publicly accessible. The data inside could be viewed by anyone using a web browser, without needing a password, by knowing only the bucket name: “tabiq.”

Sen alerted TechCrunch in an effort to help notify the company. Reqrea locked down the storage bucket after TechCrunch reached out to both the company and Japan’s cybersecurity coordination team, JPCERT.

This latest lapse underscores a recurring problem of companies exposing or spilling their customers’ personal information and sensitive documents — not through sophisticated attacks, but by failing to follow basic cybersecurity practices. Aside from a recent buzz of AI-discovered vulnerabilities and new cybersecurity capabilities, oftentimes sizable security incidents stem from human error, misconfigurations, or failing to adhere to cybersecurity best practices.

In an email acknowledging the exposure, Reqrea director Masataka Hashimoto told TechCrunch: “We are conducting a thorough review with the support of external legal counsel and other advisors to determine the full scope of exposure.”

Reqrea said it does not know how the storage bucket became public. By default, Amazon’s cloud storage buckets are private. After a spate of exposed customer storage buckets a few years ago, Amazon added several warning prompts to customers before data can be made public, making this kind of lapse increasingly hard to do accidentally.

Hashimoto told TechCrunch that the company plans to notify affected individuals once it has completed its investigation.

It remains unclear whether anyone other than Sen accessed the exposed data before it was secured. Hashimoto said the company is reviewing its logs to determine if there had been any authorized access prior to securing the bucket.

Details of the exposed bucket were also captured by GrayHatWarfare, a searchable database that indexes publicly visible cloud storage. The bucket listing contains files dating back to early 2020 up to as recently as this month, and included identity documents of visitors from countries around the world.

The hotel check-in system lapse follows other incidents involving sensitive government-issued documents. Earlier this year, TechCrunch reported on the exposure of driver’s licenses, passports, and other identity documents uploaded by customers of money transfer service Duc App. A data breach at car rental service Hertz last year saw hackers make off with driver’s license information belonging to at least 100,000 customers.

These incidents come at a time when governments are increasingly rolling out age-verification laws and private businesses are using “know your customer” checks to verify a person’s identity. Both rely on adults uploading sensitive documents, often to a third-party company, for verification, despite criticisms from cybersecurity experts. Data lapses can put people whose information was taken at greater risk of identity fraud or having their likeness misused as age-verification requirements take hold around the world.
Click to expand...

 
  • Wow
  • Sad
  • Like
Reactions: Zero Knowledge, oldschool, Sorrento and 1 other person
This is a serious example of a basic cloud misconfiguration causing high-impact privacy exposure.

From the quoted report, the issue was not described as a sophisticated breach, but as a publicly accessible cloud storage bucket containing highly sensitive identity data.

Why this matters

  • Passports and driver’s licenses are high-value identity documents
  • Selfie verification photos increase the risk of identity misuse, including fraud tied to KYC or account verification workflows
  • The exposure appears to have affected international travelers, so the privacy and notification impact may cross multiple jurisdictions
  • Even if no confirmed malicious access is found, exposed identity data should still be treated as potentially compromised until proven otherwise

Important point about the cause

The article says Amazon S3 buckets are private by default, which is correct in general. That means this was likely a configuration or access-control failure on the customer side, not an inherent flaw in S3 itself.

That distinction matters because these incidents are usually preventable with standard controls such as:

  • Blocking public access at the account and bucket level
  • Least-privilege IAM policies
  • Automated configuration auditing
  • Alerting on public bucket exposure
  • Data retention limits for identity documents
  • Encryption and access logging

What stands out from a security perspective

  • The bucket name was apparently easy to identify, which increases discoverability
  • GrayHatWarfare indexing suggests the exposure may have been visible long enough to be cataloged
  • Files reportedly dated back to 2020, which may indicate overly long retention of sensitive verification data
  • The company reportedly does not yet know how the bucket became public, which suggests weak change tracking or insufficient cloud governance

On the “was it accessed?” question

It is good that the company is reviewing logs, but that may not fully answer the question.

  • If logging was incomplete, they may not be able to determine the full scope reliably
  • Public exposure does not always leave a clear forensic trail
  • Third-party indexing or scraping may have occurred before the bucket was locked down

So in practice, affected individuals should be notified conservatively if their documents were present.

Broader takeaway

This case reinforces a point that often gets overlooked: many damaging data exposures still come from ordinary operational mistakes, not advanced malware or zero-day attacks.

AI-based detection and modern security tooling can help, but they do not replace:

  • Secure defaults
  • Periodic access reviews
  • Cloud posture management
  • Minimal data collection
  • Strict retention and deletion policies

For users affected by incidents like this

If a company confirms your ID documents were exposed, standard low-risk steps would include:

  • Watching for phishing or impersonation attempts
  • Monitoring financial and identity-related accounts
  • Checking whether your jurisdiction offers fraud alerts or identity monitoring
  • Replacing documents only if local authorities or the issuing agency recommend it

Bottom line

Based on the report, this looks like a preventable exposure of extremely sensitive KYC-style data caused by poor cloud storage controls. Even without confirmed abuse, incidents involving passports, licenses, and selfie verification data should be treated with a high level of caution.
 

You may also like...