The Discovery: A Million Travel Documents Left Unprotected
An independent security researcher named Anurag Sen made a startling find earlier this year. While scanning the internet for exposed data, he stumbled upon a cloud storage bucket that required no password to access. Inside sat more than one million sensitive identity documents belonging to hotel guests from around the world. The bucket belonged to a Japan-based startup called Reqrea, which maintains a hotel check-in system known as Tabiq. This hotel passport leak exposed passports, driver’s licenses, and selfie verification photos to anyone who knew the bucket name: “tabiq.”
Sen acted quickly. He contacted TechCrunch to help notify the company about the exposure. After TechCrunch reached out to Reqrea and Japan’s cybersecurity coordination team, JPCERT, the company locked down the bucket. But the data had been sitting open for an unknown period, with files dating back to early 2020 and continuing up to the month of the report.
This incident is not an isolated case. It follows a pattern where companies expose customer data not through sophisticated hacking attempts, but through basic security failures. The hotel passport leak serves as a stark reminder that even systems handling highly sensitive documents can fall victim to simple misconfigurations.
What Was Actually Exposed in the Data Bucket
The exposed bucket contained far more than just names and reservation numbers. Researchers found complete scans of government-issued identity documents from visitors across multiple countries. These included passport pages showing the holder’s photograph, full name, date of birth, passport number, and nationality. Driver’s licenses with similar personal details were also present. Perhaps most concerning were the selfie verification photos, which hotels using Tabiq required guests to take during check-in.
These selfie images are particularly valuable to malicious actors. They capture a person’s likeness in real time, often holding their passport or license next to their face. This combination of biometric data and government ID creates a complete identity package. Someone with access to this information could attempt to open bank accounts, apply for loans, or create fake identities that pass verification checks.
The bucket listing also appeared on GrayHatWarfare, a searchable database that indexes publicly visible cloud storage. This means the data was discoverable by anyone actively searching for exposed cloud buckets, not just by chance. The hotel passport leak had a digital footprint that extended beyond the original bucket itself.
How Cloud Misconfiguration Made This Leak Possible
Amazon Web Services, the cloud provider hosting the exposed bucket, sets all storage containers to private by default. This is a standard security measure that has been in place for years. After a wave of similar exposures around 2017 and 2018, Amazon added extra warning prompts that appear before any user can change a bucket’s settings to public. These prompts explicitly state the risks of making data accessible to the open internet.
Despite these safeguards, the “tabiq” bucket was set to publicly readable. Reqrea director Masataka Hashimoto told TechCrunch that the company does not know how the bucket became public. The company is conducting a thorough review with external legal counsel and other advisors to determine the full scope of the exposure.
Cloud misconfiguration remains one of the leading causes of data breaches worldwide. A 2023 report from the Cloud Security Alliance found that misconfigurations accounted for roughly 37 percent of cloud-related security incidents. The problem is not unique to small startups. Large enterprises, government agencies, and healthcare providers have all suffered similar exposures. What makes this case particularly troubling is the nature of the data involved. A misconfigured bucket holding marketing analytics is one thing. A misconfigured bucket holding a million passports is another entirely.
Why Companies Still Make This Mistake Despite Clear Warnings
It is easy to ask why any company would leave a bucket containing identity documents open to the public. The answer often comes down to speed and convenience during development. Engineering teams sometimes set a bucket to public for testing purposes and forget to revert the setting before going live. In other cases, automated scripts or infrastructure-as-code templates contain public access settings that get carried over from development environments.
Human error plays a significant role. A tired developer might click through a warning prompt without reading it. A team under pressure to launch a new feature might skip security review steps. The problem is not malice but haste. When companies handle sensitive documents like passports and driver’s licenses, there should be no room for shortcuts.
Reqrea’s response suggests they are taking the incident seriously. The company locked down the bucket promptly after being notified. They are reviewing logs to determine whether anyone else accessed the data before it was secured. Hashimoto stated that the company plans to notify affected individuals once the investigation is complete. However, the damage may already be done if malicious actors accessed the bucket before Sen discovered it.
The Global Reach: Passports and IDs From Multiple Countries
The exposed data was not limited to Japanese citizens or residents of a single region. Because Tabiq is used in hotels across Japan that cater to international travelers, the bucket contained identity documents from visitors around the world. European passports, North American driver’s licenses, Asian identity cards, and Australian travel documents were all present in the data set.
This global scope amplifies the potential harm. Different countries have different laws regarding identity theft protection and data breach notification. A traveler from Germany whose passport was exposed may have legal recourse under the General Data Protection Regulation. A traveler from the United States may need to rely on state-level breach notification laws, which vary widely. The hotel passport leak creates a complex web of jurisdictional challenges for both the company and affected individuals.
The files in the bucket dated back to early 2020. This means the exposure may have persisted for more than three years before being discovered. During that time, anyone with basic technical knowledge could have accessed the bucket and downloaded the contents. The full extent of the exposure may never be known.
What This Means for Travelers Who Used Hotel Check-In Kiosks
If you have stayed at a hotel in Japan that uses automated check-in kiosks with facial recognition, there is a chance your documents were exposed. Tabiq is marketed as a system that streamlines the check-in process by scanning passports and taking verification selfies. Hotels using this system include several properties across Japan, though the exact list has not been publicly disclosed.
For travelers, the uncertainty is unsettling. You may not know whether your data was caught in this leak. Hotels do not always disclose which third-party systems they use for check-in. A front desk agent might not even know the name of the software running on the kiosk. This lack of transparency leaves guests in the dark about their own data security.
If you traveled to Japan between early 2020 and the date of the report and used a hotel with digital check-in, it is worth taking precautions. Monitor your credit reports, watch for unusual activity on your accounts, and consider placing a fraud alert on your credit file. These steps are prudent regardless of whether you know for certain that your data was exposed.
How to Protect Yourself After a Hotel Passport Leak
If you suspect your identity documents may have been included in this exposure, there are concrete steps you can take. The first and most important action is to monitor your financial accounts for unauthorized activity. Set up alerts for any new account openings, credit inquiries, or large transactions. Most banks and credit card companies offer free notification services.
You may also enjoy reading: Congress Investigates Canvas Breach After ShinyHunters Deal.
Next, consider placing a credit freeze with the three major credit bureaus. A credit freeze prevents new accounts from being opened in your name without your explicit authorization. This is one of the most effective ways to prevent identity fraud. You can temporarily lift the freeze when you need to apply for credit yourself.
For passport holders specifically, you can monitor your travel document’s usage. If you suspect your passport number has been compromised, you may want to request a new passport with a different number. The process varies by country, but many governments allow citizens to replace a compromised passport. Keep copies of your passport data page in a secure location so you can prove the original document was valid if someone attempts to use your identity.
Finally, stay informed about the situation. Reqrea has stated that it plans to notify affected individuals. Watch for communications from the company or from hotels where you stayed. If you receive a notification, follow the recommended steps carefully. Do not ignore breach notifications, even if they seem generic.
The Bigger Picture: Age Verification and Know Your Customer Laws
This incident occurs at a time when governments around the world are implementing stricter age verification requirements. Several countries have passed laws requiring online platforms to verify the age of their users before granting access to certain content. Businesses are also adopting “know your customer” checks to verify the identity of individuals using their services.
Both trends rely on customers uploading sensitive identity documents to third-party verification systems. A person might upload their passport to verify their age for a social media platform, or provide their driver’s license to a money transfer service. Each upload creates a new point of vulnerability. If any of these systems suffer a misconfiguration, the same type of exposure can occur.
Cybersecurity experts have raised concerns about the proliferation of document upload requirements. Every new system that collects identity documents represents another potential entry point for data thieves. The hotel passport leak demonstrates that even established systems with a clear security mandate can fail. As more companies and governments require document uploads, the aggregate risk to consumers grows.
What Hotels and Vendors Must Learn From This Incident
For hotels using third-party check-in systems, this incident highlights the need for vendor risk assessment. Hotels should ask their technology providers about data storage practices, access controls, and breach notification procedures. A contract should specify how customer data is stored, who has access to it, and what happens in the event of a security incident.
For technology vendors like Reqrea, the lesson is clear. Cloud storage configurations must be audited regularly. Automated scanning tools can detect publicly accessible buckets before they cause harm. Companies handling sensitive documents should implement multi-layered verification processes. No single person should have the ability to make a storage bucket public without approval from a security team.
Amazon and other cloud providers have added warning prompts, but these are not foolproof. Additional safeguards such as automated policy enforcement, read-only access controls, and real-time monitoring can catch misconfigurations before data is exposed. The technology exists. The challenge is ensuring that companies use it consistently.
Reqrea’s director acknowledged the exposure and stated that the company is conducting a thorough review with external legal counsel. This is the appropriate response. The company has taken the data offline and is working to determine the full scope of the incident. The next critical step is notifying affected individuals promptly and transparently.
What Independent Researchers Mean for Data Security
This discovery would likely not have been made without the work of independent security researcher Anurag Sen. Researchers like Sen scan the internet regularly for exposed data. They often find misconfigured systems before malicious actors do. When they find something, they typically try to notify the affected company or a media outlet that can help.
This system of ethical disclosure works, but it is informal. Researchers have no legal obligation to report what they find. Companies have no legal obligation to respond. In this case, TechCrunch helped bridge the gap by contacting both Reqrea and JPCERT. The bucket was secured relatively quickly. But the process relies on goodwill and good timing.
Some governments have considered requiring companies to maintain a point of contact for security researchers. Others have debated whether independent scanning of cloud storage should be legal. These conversations are ongoing. What is clear is that researchers play a vital role in discovering exposures that companies might not find on their own.
