A hotel check-in system left more than a million guest passports, driver’s licenses and selfie verification photos on the public web after a security issue occurred. The data is now offline after TechCrunch alerted the company responsible.
The hotel check-in system, called Tabiq, is maintained by Reqrea, a technology startup based in Japan. According to its website, Tabiq is being used in several hotels across Japan and checks in guests through facial recognition and document scanning.
Anurag Sen, an independent security researcher, contacted TechCrunch earlier this week after discovering that the system was leaking sensitive documents from hotel guests around the world. Sen said this was because the startup had made one of the Amazon cloud-hosted storage buckets that its check-in system uses to store customer data publicly accessible. Anyone with a web browser can view the data inside without a password, as long as they know the bucket name “tabiq”.
Sen alerted TechCrunch to the company. Reqrea locked the storage bucket after TechCrunch contacted the company and Japan’s cybersecurity coordination team, JPCERT.
These latest mistakes highlight the recurring problem of companies exposing or leaking their customers’ personal information and sensitive documents, not through sophisticated attacks but by failing to follow basic cybersecurity practices. In addition to the recent buzz about AI-discovered vulnerabilities and new cybersecurity features, large-scale security incidents are often caused by human error, misconfiguration, or non-compliance with cybersecurity best practices.
In an email acknowledging the exposure, Reqrea director Masataka Hashimoto told TechCrunch: “We are conducting a thorough review, with the assistance of external legal counsel and other advisors, to determine the full extent of our exposure.”
Reqrea said he did not know how the storage bucket became public. By default, Amazon’s cloud storage buckets are private. After the mass exposure of customer storage buckets a few years ago, Amazon added several warning messages to customers before their data was made public, making it increasingly difficult for these kinds of mistakes to happen accidentally.
Hashimoto told TechCrunch that the company plans to notify affected individuals once the investigation is complete.
It is unclear whether anyone other than Sen accessed the exposed data before it was protected. Hashimoto said the company is reviewing logs to determine whether there was authorized access before the bucket was secured.
Details of the exposed buckets were also captured in GrayHatWarfare, a searchable database that indexes publicly visible cloud storage. The bucket list includes files from the beginning of 2020 to this month, as well as identity documents for visitors from around the world.
The outage of the hotel’s check-in system follows other incidents involving sensitive government-issued documents. Earlier this year, TechCrunch reported on an incident where driver’s licenses, passports and other IDs uploaded by customers of money transfer service Duc App were exposed. Last year, car rental service Hertz suffered a data breach in which hackers stole the driver’s license information of at least 100,000 customers.
These incidents come at a time when governments are increasingly enforcing age verification laws and private businesses are using “know your customer” checks to verify individuals’ identities. Despite criticism from cybersecurity experts, both rely on adults who often upload sensitive documents to third-party companies for verification. People whose information is compromised due to missing data may be at increased risk of identity fraud or having their likenesses misused as age verification requirements are implemented globally.
If you purchase through links in our articles, we may receive a small commission. This does not affect our editorial independence.
