CyberSecurity

A Hotel Check-In System Left Over a Million Passports and Driver’s Licenses Exposed Online

Published

on

Hotel Check-In System Leaked Over 1 Million Passports and Driver’s Licenses Online

Imagine checking into a hotel, handing over your passport and driver’s license for verification, only to discover that those sensitive documents were left exposed on the open web for anyone to see. That’s exactly what happened with a hotel check-in system data breach that compromised more than one million identity documents from travelers around the globe.

The system in question, called Tabiq, is operated by the Japanese startup Reqrea. According to the company’s website, Tabiq is deployed in several hotels across Japan, using facial recognition and document scanning to streamline guest check-ins. However, a critical security lapse left the data of countless guests vulnerable to unauthorized access.

How Did the Hotel Check-In System Data Breach Happen?

Independent security researcher Anurag Sen discovered the exposure earlier this week. He found that Reqrea had configured one of its Amazon cloud-hosted storage buckets to be publicly accessible. This meant that anyone with a web browser and knowledge of the bucket name—simply “tabiq”—could view the stored data without needing a password.

The exposed bucket contained a staggering array of sensitive documents: passports, driver’s licenses, and even selfie verification photos from hotel guests worldwide. Sen promptly contacted TechCrunch to help alert the company. After TechCrunch reached out to Reqrea and Japan’s cybersecurity coordination team, JPCERT, the startup locked down the storage bucket.

This incident highlights a recurring issue in cybersecurity: data exposures often stem not from sophisticated hacking but from basic misconfigurations. As companies rush to adopt cloud services, they sometimes overlook fundamental security settings. Amazon’s cloud storage buckets are private by default, and the company has added multiple warning prompts to prevent accidental public access. Yet, errors still occur.

What Data Was Exposed in the Passport Data Leak?

The passport data leak involved identity documents from visitors to Japan and other countries, with files dating back to early 2020 up to the present month. The bucket was also indexed by GrayHatWarfare, a searchable database of publicly visible cloud storage, meaning the data could have been accessed by malicious actors before the fix was applied.

Reqrea director Masataka Hashimoto acknowledged the exposure in an email, stating: “We are conducting a thorough review with the support of external legal counsel and other advisors to determine the full scope of exposure.” He added that the company does not yet know how the bucket became public and plans to notify affected individuals once the investigation is complete.

It remains unclear whether anyone else accessed the data before it was secured. Hashimoto said the company is reviewing its logs to check for any unauthorized access prior to the lockdown.

Broader Implications of the Driver’s License Exposure

This driver’s license exposure is not an isolated event. Earlier this year, TechCrunch reported on a similar incident involving the money transfer service Duc App, where driver’s licenses, passports, and other identity documents were exposed. Moreover, a data breach at car rental service Hertz last year resulted in hackers stealing driver’s license information from at least 100,000 customers.

These incidents come at a time when governments worldwide are implementing age-verification laws, and businesses are increasingly relying on “know your customer” (KYC) checks. Both practices require adults to upload sensitive documents to third-party companies for verification. However, cybersecurity experts have long warned about the risks of such centralized data storage.

When a cloud misconfiguration security flaw like this occurs, the consequences can be severe. Victims of identity document breaches face an elevated risk of identity fraud, financial theft, and even misuse of their likeness for fraudulent verification purposes. As age-verification requirements become more common, the stakes only grow higher.

Lessons Learned: How to Prevent Future Data Breaches

Building on this incident, companies handling sensitive customer data must adopt stricter security protocols. First, they should implement automated scanning tools to detect misconfigured cloud storage buckets. Second, they should enforce multi-factor authentication and strict access controls for all cloud resources. Third, regular security audits and penetration testing can help identify vulnerabilities before they are exploited.

For travelers, the takeaway is clear: be cautious about where you upload your identity documents. Whenever possible, use services that encrypt data end-to-end and have a proven track record of security. Read more about cloud security best practices to protect your personal information.

Additionally, consider using digital identity protection services that monitor for unauthorized use of your documents. If you suspect your data has been exposed, report it to the relevant authorities immediately and monitor your financial accounts for suspicious activity.

This hotel check-in system data breach serves as a stark reminder that even seemingly minor misconfigurations can lead to massive data exposures. As more companies digitize their operations, the responsibility to safeguard customer information has never been greater.

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending

Exit mobile version