A hotel check-in system left more than 1 million customers’ passports, driver’s licenses and selfie verification photos on the open web after a security breach. The data is now offline after TechCrunch notified the company responsible.
The hotel check-in system, called Tabiqmaintained by the Japan-based tech startup Playtime. According to its website, Tabiq is used in several hotels across Japan and relies on facial recognition and document scanning to check in guests.
Independent security researcher Anurag Sen contacted TechCrunch earlier this week after discovering that the system was leaking sensitive documents of hotel guests from around the world. Sen said this was because the startup made one of Amazon’s cloud-hosted storage bins, which the check-in system uses to store customer data, publicly accessible. The data inside could be viewed by anyone using a web browser, no need for a password, just knowing the bin name: “tabiq”.
Sen alerted TechCrunch in an effort to help alert the company. Reqrea locked down the storage bin after TechCrunch contacted both the company and Japan’s Cyber Security Coordination Group, JPCERT.
This latest bug highlights a recurring problem of companies exposing or leaking their customers’ personal information and sensitive documents — not through sophisticated attacks, but by failing to follow basic cybersecurity practices. In addition to the recent buzz of vulnerabilities discovered by artificial intelligence and new cybersecurity capabilities, many times major security incidents are due to human error, misconfigurations, or a failure to follow cybersecurity best practices.
In an email acknowledging the report, Reqrea director Masataka Hashimoto told TechCrunch: “We are conducting a thorough review with the support of outside legal counsel and other advisors to determine the full scope of the report.”
Reqrea said she does not know how the storage bin became public. By default, Amazon cloud storage buckets are private. After a series of exposed customer storage bins a few years ago, Amazon added several warning prompts to customers before the data was made public, making this type of mistake increasingly difficult to accidentally make.
Hashimoto told TechCrunch that the company plans to notify affected individuals once it completes its investigation.
It remains unclear whether anyone other than Sen had access to the exposed data before it was secured. Hashimoto said the company is reviewing its logs to determine if there was any authorized access before securing the bin.
Details of the exposed bucket were also recorded by GreyHatWarfarea searchable database that indexes publicly visible cloud storage. The bucket list contains records dating from early 2020 to this month and included visitor IDs from countries around the world.
The breach of the hotel’s check-in system follows other incidents involving sensitive government-issued documents. Earlier this year, TechCrunch reported on the exposure of driver’s licenses, passports and other identification documents uploaded by customers of money transfer service Duc App. A data breach at car rental service Hertz last year led to hackers denying driver’s license information belonging to at least 100,000 customers.
These incidents come at a time when governments are increasingly enforcing age verification laws and private businesses are using “know your customer” checks to verify a person’s identity. Both rely on adults uploading sensitive documents, often to third-party companies, for verification, despite criticism from cybersecurity experts. Data gaps may put people whose information was obtained at greater risk of identity fraud or misuse of their likeness as age verification requirements take hold around the world.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
