Hotel Check-In System Exposes Over a Million Sensitive Documents
In a significant data security lapse, a hotel check-in system inadvertently exposed more than one million sensitive documents, including customer passports, driver’s licenses, and verification photos, to the public internet. This breach underscores the critical importance of stringent cybersecurity measures in handling personal data.
The Breach Unveiled
The compromised system, known as Tabiq, is operated by the Japan-based tech startup Reqrea. Tabiq is utilized by several hotels across Japan, employing facial recognition and document scanning technologies to streamline guest check-ins. The exposure was discovered by independent security researcher Anurag Sen, who found that an Amazon Web Services (AWS) storage bucket used by Tabiq was misconfigured to be publicly accessible. This misconfiguration allowed anyone with internet access to view and download the stored documents without authentication.
Immediate Response and Investigation
Upon being alerted by TechCrunch, Reqrea promptly secured the exposed storage bucket. Masataka Hashimoto, a director at Reqrea, acknowledged the incident and stated that the company is conducting a comprehensive review with external legal counsel and advisors to determine the full scope of the exposure. The company plans to notify affected individuals once the investigation is complete. It remains unclear whether any unauthorized parties accessed the data before it was secured.
Broader Implications and Industry Context
This incident is part of a troubling pattern of data breaches in the hospitality industry. For instance, in April 2026, Booking.com confirmed that hackers accessed customers’ personal data, including names, email addresses, phone numbers, and booking details. Similarly, in April 2024, Omni Hotels & Resorts reported a ransomware attack that resulted in the theft of customer names, email addresses, postal addresses, and guest loyalty program information. These breaches highlight the persistent vulnerabilities in the sector and the need for robust security protocols.
The Role of Cloud Storage Misconfigurations
Cloud storage misconfigurations have been a recurring cause of data exposures. AWS storage buckets, by default, are private. However, improper configurations can render them publicly accessible. Despite AWS implementing warning prompts to prevent accidental public access, such misconfigurations continue to occur, often due to human error or oversight. This incident serves as a stark reminder of the importance of adhering to best practices in cloud storage security.
Protecting Personal Information
For individuals, this breach underscores the importance of vigilance in protecting personal information. When providing sensitive documents to service providers, it’s crucial to inquire about their data protection measures. Additionally, monitoring personal accounts for unusual activity and being cautious of potential phishing attempts are essential steps in safeguarding personal data.
Conclusion
The exposure of over a million sensitive documents due to a hotel check-in system’s misconfiguration highlights the critical need for stringent cybersecurity measures in the hospitality industry. As data breaches become increasingly common, both companies and individuals must prioritize data protection to prevent unauthorized access and potential misuse of personal information.
