A misconfigured Amazon S3 storage bucket belonging to the Tabiq hotel check-in system was left publicly accessible without authentication, exposing over one million customer passports, driver's licenses, and selfie verification photos. The bucket, named "tabiq," was secured after disclosure, but the full scope of unauthorized access is under investigation. This incident underscores the significant data breach risk posed by basic cloud storage misconfigurations, despite provider warnings and default secure settings.
Data Security Hotel check-in system exposed over 1 million customer passports May 18, 2026 Share By SC Staff (Adobe Stock) A hotel check-in system called Tabiq, used by hotels in Japan, left over one million customer passports, driver's licenses, and selfie verification photos exposed on the open web due to a security lapse. The sensitive data is now offline after security researcher Anurag Sen alerted TechCrunch, which then notified the company responsible, as TechCrunch reports. The exposed data belonged to users of Tabiq, a system maintained by Japanese tech startup Reqrea that utilizes facial recognition and document scanning for hotel check-ins. Sen discovered that Reqrea had configured one of its Amazon cloud storage buckets, named "tabiq," to be publicly accessible, allowing anyone with the bucket name to view its contents without authentication. Reqrea has since secured the storage bucket after being contacted by TechCrunch and Japan's cybersecurity coordination team, JPCERT. Reqrea director Masataka Hashimoto stated the company is investigating the full scope of the exposure and does not know how the bucket became public. This incident highlights a common issue where basic cybersecurity misconfigurations, rather than sophisticated attacks, lead to significant data breaches. The lapse occurred despite Amazon's default private settings and warning prompts for public bucket configurations. It is unclear if unauthorized parties accessed the data before it was secured, and Reqrea is reviewing logs to determine this. The exposed data, dating back to early 2020, included identity documents from global visitors. This follows similar incidents involving exposed identity documents from other services, occurring as age verification and "know your customer" requirements increase the reliance on sensitive document uploads. Source: TechCrunch SC Staff Related Government security Recovery is the new cyber deterrence Cory Simpson May 18, 2026 Why resilience and quick recovery can deter potential attacks. Data Security Tokee messaging app exposes 1.2 million users’ data in MongoDB leak SC Staff May 14, 2026 Security researchers at Cybernews discovered that a MongoDB instance belonging to Deucetek, the developer of Tokee, was left unsecured and accessible. Data Security Veeam enhances data protection with new AI-powered features SC Staff May 13, 2026 Veeam Data Platform v13.1 introduces over 70 enhancements, including post-quantum cryptography to safeguard backups against future quantum computing threats. Related Events Cybercast Beyond the Hype: The Cybersecurity Trends CISOs are Keeping an Eye on in 2026 On-Demand Event Cybercast Beyond the data perimeter: Why next-generation DSPM is the foundation for modern data security On-Demand Event Virtual Conference Securing the Future of Finance: Strategies to Counter Modern Cyber Threats On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Block Cipher Cipher Ciphertext Cryptographic Algorithm or Hash Cryptographic Hash Functions Data Aggregation Data Encryption Standard (DES) Diffie-Hellman Digital Envelope Digital Signature Standard (DSS) You can skip this ad in 5 seconds