TL;DR
A Japan-based hotel check-in system, Tabiq, exposed over one million customer documents and photos due to a misconfigured cloud storage bucket. The data is now offline after TechCrunch alerted the company. The incident highlights ongoing cybersecurity risks from human error.
A hotel check-in system used across several hotels in Japan exposed over one million customer passports, driver’s licenses, and photos due to a cloud storage misconfiguration. The data was accessible online without authentication until the company, Reqrea, secured the storage after being alerted by TechCrunch. This incident underscores persistent cybersecurity vulnerabilities linked to human error.
The affected system, called Tabiq, is maintained by Reqrea, a Japan-based tech startup. It uses facial recognition and document scanning to verify guests during check-in. The exposed data included sensitive identity documents and selfie verification photos from guests worldwide, stored in an Amazon cloud bucket configured to be publicly accessible. The leak was discovered by independent security researcher Anurag Sen, who notified TechCrunch earlier this week. Upon receiving the alert, Reqrea promptly secured the bucket, which contained files dating back to 2020. The company has not confirmed whether any unauthorized access occurred before the fix, but is reviewing logs to determine if data was accessed.
Why It Matters
This incident highlights ongoing cybersecurity risks associated with human error and misconfiguration, particularly in cloud storage. Exposing sensitive personal data such as passports and driver’s licenses increases the risk of identity theft and fraud. It also raises concerns about the security of third-party verification systems used in travel and financial sectors, especially as governments and private companies rely more heavily on digital identity verification.
TOURSUIT RFID Blocking Passport Holder for Women Men, Leather Passport Travel Wallet with 3D Metal Badge, Travel Document Holder Cover Accessories (Dark Blue)
- Multifunctional Storage: Holds passport, cards, tickets, and more
- Organized Document Holder: Keeps travel essentials neatly arranged
- RFID Blocking Security: Protects against unauthorized RFID scans
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background
Previous incidents include the exposure of government-issued IDs by services like Duc App and a data breach at Hertz affecting over 100,000 driver’s licenses. These lapses occur amid increasing use of digital identity checks for age verification and financial transactions, often involving third-party vendors. Amazon has added warnings to prevent accidental public exposure of cloud data, but errors still occur, often due to human oversight.
“The exposure of over one million identity documents due to a simple misconfiguration underscores how human error remains a critical vulnerability in cybersecurity.”
— Zack Whittaker, TechCrunch security editor
“We are conducting a thorough review with external legal counsel to determine the full scope of exposure.”
— Reqrea director Masataka Hashimoto
HID IDENTITY 4500 Optical Fingerprint Reader
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What Remains Unclear
It is not yet confirmed whether any unauthorized access occurred before the bucket was secured. Details about the number of affected individuals and whether the data was downloaded or misused remain unclear. The full scope of the breach is still under investigation.
Brother DS-640 Compact Mobile Document Scanner, (Model: DS640)
- Fast Scan Speeds: Up to 16 ppm for color and black & white
- Portable Design: Compact size for mobile scanning
- Versatile Connectivity: Powered via micro USB 3.0 cable
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What’s Next
Reqrea is expected to complete its investigation and notify affected individuals. The company may also implement additional security measures and review its data handling protocols. Monitoring of the incident’s impact and any potential misuse of data will likely continue in the coming weeks.
BISOFICE Time Attendance Face Recognition Time Clock Support Fingerprint Password Palm Print Facial Fast Recognition for Employees USB Port Data Management Device Suitable for Office Small Business
- Fast Face Recognition: Identifies faces in 0.6 seconds in dim environments
- Multiple Identification Methods: Supports face, palm, fingerprint, and password
- Large Storage Capacity: Stores up to 160,000 records
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
How many people were affected by this data leak?
It is estimated that over one million documents, including passports and driver’s licenses, were exposed, but the exact number of individuals affected is still being determined.
Has the data been accessed or misused?
There is no confirmed evidence that the data was accessed or misused before the security was fixed, but investigations are ongoing to determine if any unauthorized access occurred.
What steps is the company taking to prevent future leaks?
Reqrea has secured the cloud storage and is reviewing its security protocols, including better access controls and staff training, to prevent similar incidents.
Could this happen again?
While Amazon has added warnings to reduce accidental exposure, human error and misconfiguration risks remain, so the possibility of future leaks cannot be entirely eliminated without ongoing vigilance.
