A **hotel check-in system** left over a million customer passports, driver’s licenses, and selfie verification photos vulnerable on the open web due to a critical security lapse. This alarming incident, reported by TechCrunch on Friday, May 15, 2026, highlights the persistent challenges businesses face in safeguarding sensitive personal data, even from basic misconfigurations.
The exposed data, now thankfully offline, belonged to guests utilizing Tabiq, a hotel check-in system developed by Japan-based tech startup Reqrea. Tabiq, which leverages facial recognition and document scanning for guest check-ins across numerous Japanese hotels, inadvertently stored highly sensitive identity documents in a publicly accessible Amazon cloud storage bucket.
Understanding the Data Exposure Vulnerability
Independent security researcher Anurag Sen first uncovered the vulnerability, notifying TechCrunch. Sen found that Reqrea had configured one of its Amazon S3 buckets, named “tabiq,” to be publicly accessible. This meant anyone with the bucket’s name could view its contents directly via a web browser, without requiring any password or authentication. The exposed information included passports, driver’s licenses, and accompanying selfie verification photos, encompassing data from hotel guests globally.
Upon being alerted by TechCrunch, who also contacted Japan’s cybersecurity coordination team JPCERT, Reqrea promptly secured the storage bucket. This swift action prevented further unauthorized access, though the duration of the exposure and potential prior access remain under investigation.
“We are conducting a thorough review with the support of external legal counsel and other advisors to determine the full scope of exposure,” stated Masataka Hashimoto, director at Reqrea, acknowledging the lapse.
Recurring Cybersecurity Lapses in Data Handling
This incident is a stark reminder that many significant cybersecurity breaches stem not from sophisticated hacking attempts, but from fundamental failures in implementing basic security protocols. Despite Amazon’s cloud storage services defaulting to private settings and including multiple warning prompts before data can be made public, such misconfigurations continue to occur. Reqrea has indicated it does not know how the storage bucket became public, and is reviewing logs to ascertain if unauthorized access occurred before the data was secured.
The issue of exposed government-issued documents is a growing concern. Earlier this year, TechCrunch reported similar exposures involving money transfer service Duc App and a data breach at car rental giant Hertz, which compromised driver’s license information for hundreds of thousands of customers. As governments worldwide increasingly implement age verification laws and businesses adopt “know your customer” (KYC) checks, the reliance on third-party companies to handle sensitive identity documents creates significant risks. These **hotel check-in system** vulnerabilities can lead to identity fraud and misuse of personal likeness, underscoring the critical need for robust data protection practices.
Protecting Your Identity in a Digital World
The continuous stream of data exposure incidents highlights a pressing need for both companies and individuals to enhance their cybersecurity vigilance. For businesses, this means rigorous adherence to best practices, regular security audits, and thorough employee training on data handling and cloud storage configurations. For consumers, understanding the risks associated with uploading sensitive documents and demanding transparency from service providers about their data security measures is paramount. The Tabiq incident serves as a potent warning about the fragility of personal data in an increasingly digitized world, emphasizing that even seemingly minor missteps can have massive repercussions.



