A hotel check-in platform used in multiple Japanese hotels exposed more than one million guest identity documents online due to a cloud storage misconfiguration. The data exposure affected passports, driver’s licences, and facial verification images collected during the check-in process.
The system, known as Tabiq, was developed and maintained by Reqrea, a technology startup based in Japan. It utilises facial recognition and document scanning to verify customers during the booking process. However, the company left a key Amazon Web Services (AWS) storage bucket set to public access, meaning anyone with knowledge of the bucket name could access the sensitive data without restriction.
The issue was discovered by independent security researcher Anurag Sen, who alerted technology news outlet TechCrunch. Once notified, Reqrea addressed the problem by securing the storage bucket and began conducting a review into the extent of the data exposure.
Cloud storage buckets from providers such as AWS are set to private by default, and security warnings are in place to prevent accidental public exposure. Despite this, misconfiguration remains a common cause of large-scale data leaks, often due to human error or gaps in cybersecurity practices rather than external attacks.
Reqrea’s director Masataka Hashimoto confirmed the company is working with external legal and technical advisors to investigate how the breach occurred and to determine whether the data was accessed by any unauthorised parties. The company plans to notify affected individuals once the review is complete.
The exposed bucket contained data dating as far back as early 2020 and included documents from customers worldwide. The listing was indexed by a searchable database known as GrayHatWarfare, which tracks publicly visible cloud storage data.
This incident follows recent similar exposures involving sensitive identity documents. Earlier this year, a data breach affected users of a money transfer service, and in 2023, car rental company Hertz suffered a hack compromising driver’s licence information for hundreds of thousands of customers.
These breaches highlight ongoing risks as more businesses implement identity verification systems requiring the submission of government-issued documents. The reliance on third-party service providers introduces vulnerabilities that, if not carefully managed, can lead to widespread exposure of personal data.
With identity verification becoming more common in private and government sectors, there is increasing pressure to ensure that data protection protocols keep pace to minimise risks of fraud and misuse. The Tabiq data leak serves as a reminder of the importance of strict cybersecurity controls in safeguarding traveller and consumer information.