A hotel’s check-in system exposed over a million customer passports, driver’s licenses, and verification selfies online due to a security oversight, which has now been resolved after TechCrunch’s intervention. The check-in system, Tabiq, developed by Japan-based Reqrea, is utilized across various Japanese hotels using facial recognition and document scanning for guest check-ins.
Security researcher Anurag Sen informed TechCrunch of this leak, which involved publicly accessible Amazon cloud storage containing sensitive guest documents. This access was corrected after TechCrunch contacted Reqrea and Japan’s JPCERT.
This incident highlights ongoing issues of companies exposing sensitive customer data due to inadequate cybersecurity practices. Despite enhanced AI-driven security measures, human errors and misconfigurations remain significant causes of data breaches.
Reqrea’s director, Masataka Hashimoto, acknowledged the breach, stating the company is reviewing the matter with legal counsel to assess the extent of exposure. Amazon’s cloud storage is typically private; however, warning mechanisms have been in place for years to prevent accidental public access, which remains uncertain.
Reqrea plans to notify affected individuals after investigation. It is unclear if others accessed the exposed data prior to being secured. The exposed data details were captured by GrayHatWarfare, revealing files from early 2020 onward. The incident follows other breaches involving sensitive documents, like the Duc App and Hertz exposures.
The rise in age verification laws by governments and “know your customer” checks highlight the need for secure handling of identity documents. Such data breaches elevate identity fraud risks amidst global age verification law implementations.