A hotel check-in platform inadvertently exposed over 1 million customer passports, driver’s licenses, and selfie verification images to the public web due to a security oversight. The information is now offline following a notification from TechCrunch to the responsible firm.

The hotel check-in platform, named Tabiq, is operated by the Japan-based tech startup Reqrea. As stated on its website, Tabiq is utilized in various hotels throughout Japan and employs facial recognition and document scanning to facilitate guest check-ins.

Independent security analyst Anurag Sen reached out to TechCrunch earlier this week after finding that the system was exposing sensitive documents of hotel guests globally. Sen explained that the leak occurred because the startup had configured one of its Amazon cloud-hosted storage buckets, which stores customer data for the check-in system, to be publicly accessible. Anyone with a web browser could access the data without a password, simply by knowing the bucket’s name: “tabiq.” 

Sen informed TechCrunch to assist in notifying the company. Reqrea secured the storage bucket after TechCrunch contacted both the firm and Japan’s cybersecurity coordination organization, JPCERT.

This recent incident highlights a frequent issue where businesses unintentionally reveal or leak their customers’ personal information and sensitive documents—not through advanced hacking, but by neglecting fundamental cybersecurity protocols. Alongside a current wave of AI-detected vulnerabilities and fresh cybersecurity features, significant security breaches often arise from human mistakes, misconfigurations, or failure to implement cybersecurity best practices.

In a response acknowledging the leak, Reqrea director Masataka Hashimoto informed TechCrunch: “We are performing a comprehensive review with the aid of external legal counsel and other experts to assess the complete extent of the exposure.”

Reqrea stated it remains uncertain how the storage bucket was made public. Typically, Amazon’s cloud storage buckets are set to private by default. Following a series of exposed customer storage buckets a few years back, Amazon included multiple warning prompts for users prior to making data public, thereby making such lapses more difficult to occur inadvertently.

Hashimoto indicated to TechCrunch that the company intends to inform affected individuals once its investigation concludes. 

It is not yet known if anyone besides Sen accessed the exposed data before it was secured. Hashimoto mentioned that the company is analyzing its logs to see if there was any authorized access before the bucket was locked.

Information about the exposed bucket was also recorded by GrayHatWarfare, a database that allows searches of publicly accessible cloud storage. The bucket listing includes files from as early as 2020 to as recently as this month, containing identity documents of visitors from various countries.

The hotel check-in system’s vulnerability follows other occurrences involving sensitive government-issued documents. Earlier this year, TechCrunch reported on the exposure of driver’s licenses, passports, and other identity documents uploaded by users of the money transfer service Duc App. A data breach at the car rental company Hertz last year resulted in hackers stealing driver’s license details of at least 100,000 clients.

These events arise at a time when governments are increasingly implementing age-verification regulations and private firms are utilizing “know your customer” procedures to authenticate a person’s identity. Both processes depend on adults submitting sensitive documents, often to a third-party service, for verification, despite concerns raised by cybersecurity professionals. Data breaches can escalate the risk of identity theft or misuse of individuals’ likenesses as age-verification mandates become more widespread globally.