Show summary Hide summary
More than a million identity files — including passports, driver’s licenses and selfie verification photos — were left accessible on the open web after a hotel check-in system misconfigured its cloud storage, a lapse discovered by a security researcher and reported to the company. The exposed data has been taken offline following notification by the reporter and coordination with Japan’s cybersecurity team.
How the exposure unfolded
The check-in platform, known as Tabiq, is developed by Tokyo-based startup Reqrea and is used by a number of hotels in Japan to speed up arrivals using document scans and facial recognition. Researcher Anurag Sen found that one of the system’s Amazon cloud storage containers was set to public access, allowing anyone with the bucket name to browse its contents through a web browser.
TechCrunch says it was alerted by Sen, and reached out to Reqrea and Japan’s national incident response team, JPCERT. After contact, the company restricted access to the storage container. Reqrea has since launched an internal review with outside legal counsel to establish the full scope of what was exposed and who may have accessed it.
Edward Jones ranks No. 1 in JD Power investor satisfaction, earns Fortune workplace honors
ASML stock rises 2.57% to $1,632.90, up 40.3% year-to-date on AI chip demand
Records captured by the cloud indexing service GrayHatWarfare show files spanning from early 2020 through this month, and include identity documents belonging to visitors from multiple countries. It remains unclear whether parties beyond Sen viewed or downloaded the data; Reqrea says it is examining access logs to find out.
What was at risk
- Types of data: passports, national ID cards, driver’s licenses and selfie photos used for identity checks.
- Scope: researchers and third‑party indexes reported more than one million files in the exposed bucket.
- Access method: a publicly readable cloud storage bucket that required no password to view files.
- Timeline: files dated from 2020 up to the present were visible in the listing captured by third-party services.
Why this matters now
Businesses and governments are increasingly asking people to upload sensitive documents for age checks, travel bookings and anti‑fraud verification. When those records are stored by third parties, a single misconfiguration can expose large volumes of personal information and biometric data.
Data exposures of this kind raise immediate risks: identity theft, targeted fraud, and the misuse of biometric images in scams or deepfake attempts. Recent incidents involving other services that stored driver’s licences and passports underscore that this is not an isolated problem — human error and poor cloud hygiene remain a leading cause of large breaches, even as new tools promise better defenses.
Steps for companies and individuals
Cloud misconfigurations are avoidable. The following measures can reduce the chance of a repeat:
- For organizations: conduct regular audits of cloud permissions, enforce least‑privilege access, enable default encryption and multi‑factor authentication for admin accounts, and implement automated alerts for publicly exposed buckets.
- For third‑party vendors: require security assessments, maintain detailed access logs and retain an incident response partner to act quickly when issues are reported.
- For consumers: check for notifications from businesses you’ve shared documents with, monitor financial accounts and credit reports for suspicious activity, and consider placing freezes or alerts on credit files if you suspect your identity was exposed.
Reqrea has told reporters it does not yet know how the storage container was made public and plans to notify affected individuals once the investigation is complete. Cloud platforms such as Amazon S3 are private by default and now offer extra warning prompts, but experts say those guardrails are no substitute for disciplined operational practices.
As companies continue to rely on automated identity checks, this episode is a reminder that simple configuration errors can have wide, lasting consequences — and that firms, regulators and users must all play a role in closing those gaps.
