Critical Security Failure: Over 1 Million Traveler IDs Exposed in Hotel Check-In Data Breach

The Anatomy of a Cloud Misconfiguration

In a stark reminder of the fragile state of digital privacy, a significant security lapse has exposed the personal identity documents of over one million travelers. The breach involves Tabiq, a hotel check-in system developed by the Japan-based startup Reqrea. The incident highlights how basic oversights in cloud infrastructure management continue to place millions of individuals at risk of identity theft and fraud.

The Breach: A Publicly Accessible Bucket

The vulnerability was identified by security researcher Anurag Sen, who discovered that an Amazon S3 storage bucket—used by Tabiq to house scanned passports, driver’s licenses, and facial recognition verification photos—was left configured for public access. Because the bucket lacked password protection or proper access control lists, the sensitive documents were accessible to anyone with a web browser who could identify the bucket’s URL.

Following notification from industry reporters, Reqrea acted to secure the repository, working in conjunction with JPCERT, Japan’s cybersecurity coordination team. While the immediate threat has been mitigated, the incident leaves a cloud of uncertainty regarding how long this data remained exposed to unauthorized actors.

Human Error vs. Sophisticated Threats

While the cybersecurity industry often focuses on advanced persistent threats (APTs) and zero-day vulnerabilities, the Tabiq incident serves as a grim case study on the persistence of human error. Despite Amazon implementing extensive warning systems to prevent users from making storage buckets public by default, misconfigurations remain a leading cause of massive data leaks.

• Scope of Data: The exposed files span from early 2020 through mid-2026, including international government-issued identity documents.
• Systemic Risks: The rise of mandatory digital “Know Your Customer” (KYC) and age-verification checks has created massive honeypots of sensitive biometric and identification data.
• Accountability: Reqrea has stated it is conducting an internal audit and working with legal counsel to notify the millions of affected individuals.

The Broader Implications for Privacy

This incident arrives at a precarious time as governments globally push for stricter age-verification laws that mandate the collection of government-issued IDs by third-party services. Cybersecurity experts have long warned that aggregating such sensitive data increases the attack surface for identity theft. As databases like ‘GrayHatWarfare’ continue to index unprotected cloud infrastructure, the need for automated security auditing and rigorous, default-secure cloud configurations has never been more urgent for startups managing sensitive PII (Personally Identifiable Information).