A significant security vulnerability within a hotel check-in system has led to the exposure of more than a million customer passports, driver’s licenses, and selfie verification photos online. The sensitive data, which was publicly accessible, has since been secured. The system, known as Tabiq, is maintained by Japanese technology startup Reqrea and is utilized by various hotels across Japan, employing facial recognition and document scanning for guest check-ins.

The security lapse was brought to light by independent security researcher Anurag Sen, who identified that Reqrea had inadvertently configured one of its Amazon cloud-hosted storage buckets to be publicly accessible. This misconfiguration allowed anyone with knowledge of the bucket’s name, “tabiq,” to view the stored customer data without requiring a password. Following notification, Reqrea promptly secured the storage bucket, with assistance from Japan’s cybersecurity coordination team, JPCERT.

Reqrea director Masataka Hashimoto acknowledged the data exposure, stating that the company is conducting a thorough review with legal counsel and other advisors to determine the full scope of the incident. While Amazon’s cloud storage buckets are private by default, and despite additional safeguards implemented by Amazon to prevent accidental public access, Reqrea indicated it is currently unaware of how the bucket became publicly accessible. The company plans to notify affected individuals once its investigation is complete, and it is actively reviewing logs to ascertain if any unauthorized access occurred before the data was secured.

This incident highlights a persistent challenge in cybersecurity, where significant data breaches often stem from fundamental errors in configuration and a failure to adhere to best practices, rather than sophisticated attacks. Records of the exposed bucket, containing files from early 2020 to recent months, were also indexed by GrayHatWarfare, a database for publicly visible cloud storage. Such exposures of government-issued documents have become a recurring concern, following similar incidents involving money transfer service Duc App and car rental giant Hertz, underscoring the critical need for robust data protection as businesses increasingly rely on sensitive identity verification processes.