Critical Security Failure: Over 1 Million Traveler IDs Exposed in Major Cloud Misconfiguration
- A cloud misconfiguration at the 'Tabiq' hotel check-in system exposed over 1 million passports and government IDs to the public internet.
- The data was stored in an unsecured Amazon S3 bucket, which failed to implement basic access controls or password protection.
- The incident highlights the growing risks associated with mandatory identity verification programs and the constant threat of human error in cloud security.
A Massive Data Exposure in the Hospitality Sector
In a sobering reminder of the fragile state of digital privacy, a major security oversight has resulted in the exposure of over one million sensitive customer documents. The breach, which affected the Japanese hotel check-in system Tabiq, left passports, driver’s licenses, and biometric verification photos accessible to anyone with a standard web browser.
The Anatomy of the Breach
The security lapse was identified by independent researcher Anurag Sen, who discovered that the Tokyo-based startup Reqrea had inadvertently misconfigured an Amazon Web Services (AWS) S3 storage bucket. By leaving the bucket public, the company bypassed all authentication protocols, allowing the data to be indexed by public search tools like GrayHatWarfare.
Despite Amazon’s efforts to implement multiple warning prompts to prevent such accidental public exposure, this incident highlights a recurring, systemic issue: human error in cloud configuration remains a primary catalyst for large-scale data breaches.
Key Findings of the Investigation:
- Volume: Over 1 million files, including passports and government-issued IDs, were compromised.
- Timeline: The exposed data spanned from early 2020 through mid-2026.
- Scope: Travelers from across the globe were affected, as Tabiq’s facial recognition and scanning services are utilized by various hotels throughout Japan.
Why Simple Misconfigurations Still Plague Tech
While the cybersecurity industry often focuses on high-level threats like sophisticated state-sponsored attacks or zero-day AI exploits, this incident serves as a stark warning that basic hygiene is the most significant vulnerability. When organizations fail to audit their cloud storage settings, they expose their customers to severe risks, including identity theft, fraud, and the misuse of biometric data.
Reqrea director Masataka Hashimoto confirmed that the company is currently conducting a formal investigation with external legal counsel. However, questions remain regarding how long the data was truly exposed and whether malicious actors—beyond the security researcher—exploited the vulnerability before it was locked down.
The Cost of ‘Know Your Customer’ Requirements
This incident is part of a growing trend where businesses, pressured by government mandates for age verification and identity checks, are collecting vast amounts of sensitive information. As private companies become repositories for high-value government documents, the burden of security increases exponentially. For travelers, the takeaway is clear: as digital verification becomes the global standard, the risk profile of every hotel check-in or service enrollment continues to climb. Companies must prioritize “Privacy by Design” to ensure that regulatory compliance does not come at the expense of user safety.
