Hotel Check-in System Exposed 1 Million Passports and IDs Online
Original: A hotel check-in system left a million passports and driver’s licenses open for anyone to see
Why This Matters
Highlights ongoing cybersecurity risks in hospitality tech despite improved cloud security measures
Japan-based startup Reqrea's hotel check-in system Tabiq left over 1 million customer passports, driver's licenses, and verification photos publicly accessible through misconfigured Amazon cloud storage. The data was secured after TechCrunch notification.
Security researcher Anurag Sen discovered that Reqrea's Tabiq hotel check-in system exposed sensitive guest documents through a publicly accessible Amazon S3 bucket named 'tabiq.' The facial recognition-based system, used across Japanese hotels, stored customer passports, driver's licenses, and selfie verification photos viewable by anyone with a web browser. Files dated from early 2020 to May 2026 included documents from international visitors. Reqrea director Masataka Hashimoto acknowledged the exposure and said the company is conducting a thorough review with legal counsel. The bucket was secured after TechCrunch contacted both Reqrea and Japan's JPCERT cybersecurity team. Amazon's cloud storage is private by default, making such exposures increasingly difficult to achieve accidentally due to warning prompts implemented after previous incidents.