A hotel check-in platform used by several hotels in Japan exposed more than 1 million sensitive customer records, including passports, driver’s licenses, and selfie verification photos, after a cloud storage system was left publicly accessible on the internet without password protection.
The affected system, called Tabiq, is operated by Japan-based startup Reqrea. The platform uses facial recognition and document scanning technology to automate hotel guest check-ins.
Independent security researcher Anurag Sen alerted TechCrunch earlier this week after discovering that one of the company’s Amazon-hosted storage buckets had been configured for public access.
According to Sen, anyone who knew the storage bucket name — “tabiq” — could access the files directly through a web browser without needing authentication or a password.
The exposed records included government-issued identification documents and facial verification images belonging to hotel guests from multiple countries.
Company Secures Exposed Storage Bucket After Disclosure
Reqrea secured the exposed storage bucket after TechCrunch contacted both the company and JPCERT/CC, Japan’s cybersecurity coordination center.
In a statement to TechCrunch, Reqrea director Masataka Hashimoto said the company had begun investigating the incident with support from legal advisors and external specialists.
“We are conducting a thorough review with the support of external legal counsel and other advisors to determine the full scope of exposure,” Hashimoto said.
The company said it does not currently know how the Amazon cloud storage bucket became publicly accessible.
By default, Amazon cloud storage buckets are configured as private. Amazon also introduced multiple warning systems in recent years after a series of previous incidents involving publicly exposed customer data repositories.
Hashimoto said Reqrea plans to notify affected individuals after completing the company’s internal investigation.
It remains unclear whether anyone besides Sen accessed the data before the storage bucket was secured.
According to Hashimoto, the company is reviewing internal logs to determine whether unauthorized access occurred.
Public Indexing Services Also Captured The Exposed Data
Details of the exposed storage bucket were also indexed by GrayHatWarfare, a searchable database that catalogs publicly accessible cloud storage systems.
The indexed files reportedly dated from early 2020 through records uploaded as recently as this month.
The incident adds to a growing number of data exposures involving sensitive identity documents stored by businesses and third-party verification providers.
Earlier this year, TechCrunch reported on a separate exposure involving passports and driver’s licenses uploaded by customers of money transfer platform Duc App.
Last year, a breach involving Hertz exposed driver’s license information belonging to at least 100,000 customers after hackers accessed company systems.
Identity Verification Systems Face Growing Scrutiny
The exposure comes as governments and private companies increasingly rely on digital identity verification systems.
Many age-verification laws and “know your customer” compliance systems now require users to upload passports, driver’s licenses, and facial scans to third-party providers for identity confirmation.
Cybersecurity researchers and privacy advocates have repeatedly warned that centralized collections of identity documents create attractive targets for data exposure, misuse, and fraud.
Security lapses involving identity verification systems can increase the risk of identity theft, fraud, and misuse of facial images and government-issued documents.
Featured image credits: Wikimedia Commons
For more stories like it, click the +Follow button at the top of this page to follow us.