Massive Security Breach: Over One Million Hotel Guest Passports and IDs Exposed Online via Japanese Check-In System
A major security vulnerability in a widely used hotel check-in system has exposed the highly sensitive personal data of more than one million travelers. The system, known as Tabiq and developed by Japanese technology startup Reqrea, utilizes facial recognition and document scanning to streamline guest check-ins across numerous hotels in Japan. Due to a critical configuration error, passports, driver’s licenses, and selfie verification photos were left completely accessible to the public on the internet before recently being secured.
The security lapse was uncovered by independent cybersecurity researcher Anurag Sen, who discovered that Reqrea had misconfigured an Amazon Web Services (AWS) cloud storage bucket. Because the bucket—named “tabiq”—was set to public, anyone who knew its name could access and download the sensitive files without needing a password or any form of authentication. Upon being alerted to the vulnerability, Reqrea worked alongside Japan’s cybersecurity coordination group, JPCERT, to quickly lock down the exposed database.
Masataka Hashimoto, a director at Reqrea, confirmed the exposure and stated that the company is working with legal counsel to investigate the full scope of the incident. Although AWS storage buckets are private by default, Reqrea has yet to determine how the bucket’s settings were altered to allow public access. The startup plans to notify affected individuals once its internal investigation is complete and is currently reviewing access logs to see if malicious actors downloaded the data. The exposed files, dating from early 2020 to recent months, had already been indexed by GrayHatWarfare, a public database that tracks open cloud storage. This incident mirrors recent high-profile leaks at other companies, emphasizing the ongoing risks of basic cloud misconfigurations.
Key Takeaways
- A misconfigured Amazon cloud storage bucket exposed over one million sensitive documents, including passports and selfie verifications, from the Tabiq hotel check-in system.
- The vulnerability was discovered by independent researcher Anurag Sen, prompting Japanese startup Reqrea to secure the data with assistance from JPCERT.
- The exposed files date back to 2020 and had already been indexed by public databases, raising concerns over potential identity theft and unauthorized access.
Editor’s Analysis & Impact
This incident underscores a frustratingly common reality in modern cybersecurity: the most devastating data exposures often result from simple human error rather than sophisticated cyberattacks. As hospitality and travel industries increasingly adopt automated, biometric-based check-in systems to improve efficiency, they also become prime targets for data harvesting. Storing government-issued IDs and biometric selfies requires the highest tier of security hygiene. For startups like Reqrea, a single misconfigured cloud bucket can shatter consumer trust and invite severe regulatory penalties under strict data protection laws like Japan’s APPI. Moving forward, organizations must implement automated compliance and configuration monitoring tools to ensure that ‘private by default’ cloud settings are never accidentally overridden, especially when handling highly sensitive identity verification data.
Frequently Asked Questions
Q: What is Tabiq and how was the data exposed?
A: Tabiq is an automated hotel check-in system developed by Japanese startup Reqrea that uses facial recognition and document scanning. The data was exposed because an Amazon cloud storage bucket containing guest records was misconfigured to be publicly accessible without a password.
Q: What kind of information was leaked in this security breach?
A: The exposure included highly sensitive personal identification documents of over one million guests, such as passports, driver's licenses, and selfie photos used for identity verification, dating from early 2020 to recently.
Q: Has the security vulnerability been resolved?
A: Yes, once notified of the exposure, Reqrea worked with Japan's cybersecurity coordination team (JPCERT) to secure the cloud storage bucket. The company is currently investigating whether unauthorized parties accessed the data before it was secured.