A hotel check-in system left a million passports and driver's licenses open for anyone to see

Key Points:

• Over 1 million customer passports, driver’s licenses, and selfie verification photos were exposed on the open web due to a security lapse in Tabiq, a hotel check-in system maintained by Japan-based startup Reqrea.
• The data was accessible through a publicly available Amazon cloud storage bucket named "tabiq," which did not require a password and could be viewed by anyone who knew the bucket name.
• After being alerted by security researcher Anurag Sen and TechCrunch, Reqrea secured the storage bucket and is conducting a thorough investigation with external legal and cybersecurity advisors to assess the full scope of the exposure.
• It remains unknown if anyone besides the researcher accessed the data, and Reqrea plans to notify affected individuals once the investigation is complete; the incident highlights ongoing risks from basic cybersecurity misconfigurations rather than sophisticated attacks.
• This exposure follows similar incidents involving sensitive identity documents, including breaches at money transfer service Duc App and car rental company Hertz, underscoring a persistent problem with protecting personal customer data.