A hotel check-in system named Tabiq exposed more than 1 million customer passports, driver’s licenses, and selfie verification photos online, a security lapse now resolved after TechCrunch's intervention.
Tabiq's Security Oversight
The Tabiq system, operated by Japan-based tech startup Reqrea, is widely used across Japanese hotels for guest check-ins, utilizing facial recognition and document scanning. Independent security researcher Anurag Sen discovered the exposure, noting that the data was stored in an Amazon cloud bucket set to public access. The bucket's contents could be accessed by anyone with internet knowledge of the bucket's name, "tabiq."
Company Response and Remedial Actions
Following Sen's alert, TechCrunch contacted Reqrea and Japan’s cybersecurity team, JPCERT. Consequently, the data storage was secured. Masataka Hashimoto, a director at Reqrea, confirmed the company is conducting a thorough review to assess the incident's scope. Hashimoto said, "We are conducting a thorough review with the support of external legal counsel and other advisors to determine the full scope of exposure."
Previous Incidents and Broader Implications
This incident highlights a recurring issue of companies mishandling customer data due to poor cybersecurity practices. Despite advancements in AI for discovering vulnerabilities, human error remains a significant risk. The breach follows other recent exposures, including those involving Duc App and Hertz.
Ongoing Investigation
Reqrea has yet to determine how the storage bucket was made public, as Amazon's cloud storage is typically set to private by default. Hashimoto stated that affected individuals would be notified after the investigation. It's unclear if anyone other than Sen accessed the data before it was secured. The public bucket was also indexed by GrayHatWarfare, showing files as recent as this month dating back to 2020.
These incidents occur amid rising demands for age-verification laws, which require uploading sensitive documents to third-party companies. Such data breaches increase the risk of identity fraud, sparking further debate over data security as these laws gain traction globally.
Source: https://techcrunch.com/2026/05/15/a-hotel-check-in-system-left-a-million-passports-and-drivers-licenses-open-for-anyone-to-see/
