Digital Identity Under Threat: Hotel Check-In System Leaks Over a Million Sensitive Documents

A critical security lapse has brought into sharp focus the precarious state of digital identity, revealing that a hotel check-in system inadvertently left more than one million customer passports, driver’s licenses, and even selfie verification photos exposed to the open internet. The sensitive data, originating from guests around the world, remained publicly accessible until TechCrunch intervened, prompting the responsible company to swiftly take it offline.

The system at the heart of this breach is Tabiq, a facial recognition and document scanning solution utilized in various hotels across Japan. It is maintained by Reqrea, a tech startup based in Japan, which promises streamlined check-ins through advanced identity verification technologies. However, the convenience offered by such systems comes with a profound responsibility to safeguard the highly personal data they collect – a responsibility that, in this instance, was critically overlooked.

The Discovery: A Simple Error, Grave Consequences

The vulnerability was first brought to light by independent security researcher Anurag Sen, who contacted TechCrunch earlier this week. Sen’s discovery revealed that Reqrea had misconfigured one of its Amazon cloud-hosted storage buckets, used by the Tabiq system to store customer data. Rather than adhering to the default private settings, the bucket was set to be publicly accessible. This meant that merely knowing the bucket’s name, “tabiq,” allowed anyone with a web browser to view its contents without any authentication – no password, no login, just open access to highly sensitive personal information.

Sen’s proactive disclosure to TechCrunch was aimed at facilitating a swift notification to the company. Following TechCrunch’s outreach to both Reqrea and Japan’s cybersecurity coordination team, JPCERT, the storage bucket was promptly secured. While the immediate threat has been mitigated, the incident serves as a stark reminder that some of the most significant security breaches aren’t the result of sophisticated cyberattacks, but rather a failure to follow fundamental cybersecurity hygiene.

Reqrea’s Response and Ongoing Investigation

In an email acknowledging the exposure, Reqrea director Masataka Hashimoto conveyed to TechCrunch, “We are conducting a thorough review with the support of external legal counsel and other advisors to determine the full scope of exposure.” The company’s immediate priority is to understand the extent of the damage and identify who might have accessed the data during the period of exposure. Reqrea has stated its intention to notify affected individuals once its comprehensive investigation is complete, a crucial step in transparency and accountability.

Intriguingly, Reqrea claims it does not know how the storage bucket became public. This assertion raises further questions, especially considering Amazon’s cloud storage buckets are private by default. After a series of similar customer storage bucket exposures several years ago, Amazon implemented multiple warning prompts and safeguards designed to make accidental public exposure exceedingly difficult. This suggests that a deliberate, albeit misguided, action or a significant oversight must have occurred for the “tabiq” bucket to be left open to the world. The company is currently reviewing its logs to determine if there was any unauthorized access prior to the bucket being secured, though definitive answers may take time to emerge.

The Scale of Exposure: Global Identities at Risk

The exposed bucket contained files dating back to early 2020 and extending up to the current month, illustrating a prolonged period of vulnerability. These files included identity documents belonging to visitors from numerous countries across the globe, underscoring the international scope of the breach. The details of the exposed bucket were also independently captured and indexed by GrayHatWarfare, a searchable database that catalogs publicly visible cloud storage, confirming the public accessibility and the extent of the data at risk.

The data exposed — including high-resolution images of passports, driver’s licenses, and selfie verification photos — represents the crown jewels for identity thieves. Such information can be used for a myriad of malicious activities, from opening fraudulent bank accounts and credit lines to creating fake identities for illicit purposes. The inclusion of selfie verification photos, which often involve individuals holding up their ID documents, adds another layer of risk, potentially allowing for sophisticated impersonation or the bypass of facial recognition systems.

A Troubling Pattern: Misconfigurations and the Cost of Negligence

This incident is far from isolated; it represents a persistent and concerning pattern in the cybersecurity landscape. Time and again, companies expose vast quantities of customer data not through sophisticated hacking attempts, but through fundamental failures in basic cybersecurity practices. Despite the increasing buzz around AI-discovered vulnerabilities and advanced cybersecurity capabilities, oftentimes the most impactful security incidents stem from simple human error, misconfigurations, or a failure to adhere to well-established security best practices. The Tabiq breach serves as yet another testament to the critical importance of foundational security measures.

The hotel check-in system lapse joins a growing list of incidents involving the exposure of sensitive government-issued documents. Earlier this year, TechCrunch reported on the exposure of driver’s licenses, passports, and other identity documents uploaded by customers of the money transfer service Duc App. Last year, a data breach at car rental giant Hertz saw hackers make off with driver’s license information belonging to at least 100,000 customers. These repeated occurrences highlight a systemic issue within businesses that handle sensitive identification data: a lack of rigorous adherence to security protocols, often underestimating the devastating consequences of simple misconfigurations.

The Broader Implications for Digital Identity and KYC

These incidents occur at a pivotal moment when governments worldwide are increasingly rolling out age verification laws, and private businesses are relying more heavily on “know your customer” (KYC) checks to verify a person’s identity. Both processes often mandate individuals to upload sensitive documents to third-party companies for verification. This practice has drawn significant criticism from cybersecurity experts, who warn about the inherent risks of centralizing vast amounts of highly sensitive personal data with various entities, many of which may not possess the robust security infrastructure or expertise to protect it adequately.

When data lapses occur, as with Tabiq, the individuals whose information was compromised face a heightened risk of identity fraud. Moreover, with the global proliferation of age verification requirements, the potential for malicious actors to misuse a person’s likeness or stolen identity documents becomes an even more pressing concern. The burden of protection, therefore, falls not just on the companies collecting the data but also indirectly on the consumers whose digital identities are increasingly becoming commodities, vulnerable to the simplest of security missteps.