Hotel check-in system exposed over 1 million passports and driver's licenses

A hotel check-in system used in several Japanese hotels left over 1 million customer passports, driver's licenses, and selfie verification photos unsecured on the web. The data, which included sensitive documents of hotel guests from around the world, was stored on an Amazon cloud-hosted storage bucket that was mistakenly set to be publicly accessible. The hotel check-in system, called Tabiq, is maintained by the Japan-based tech startup Reqrea.

According to its website, Tabiq relies on facial recognition and document scanning to check guests in. Independent security researcher Anurag Sen discovered the security lapse and contacted TechCrunch to help notify the company. Sen found that the storage bucket, named 'tabiq,' could be viewed by anyone using a web browser, without needing a password.

Reqrea locked down the storage bucket after TechCrunch reached out to both the company and Japan's cybersecurity coordination team, JPCERT. In an email acknowledging the exposure, Reqrea director Masataka Hashimoto said the company is conducting a thorough review with the support of external legal counsel and other advisors to determine the full scope of exposure. Hashimoto also stated that the company plans to notify affected individuals once it has completed its investigation.

It remains unclear whether anyone other than Sen accessed the exposed data before it was secured. Hashimoto said the company is reviewing its logs to determine if there had been any authorized access prior to securing the bucket. The incident highlights a recurring problem of companies exposing or spilling their customers' personal information and sensitive documents due to human error or misconfigurations.

This latest lapse follows other incidents involving sensitive government-issued documents. Earlier this year, TechCrunch reported on the exposure of driver's licenses, passports, and other identity documents uploaded by customers of money transfer service Duc App. A data breach at car rental service Hertz last year saw hackers make off with driver's license information belonging to at least 100,000 customers.

The exposed data, which included files dating back to early 2020 up to as recently as this month, was also captured by GrayHatWarfare, a searchable database that indexes publicly visible cloud storage. Details of the exposed bucket were captured, including identity documents of visitors from countries around the world.