A hotel check-in system used by several hotels in Japan left more than 1 million customer passports, driver’s licenses, and selfie verification photos exposed on the open web after a major security lapse.
The data has now been taken offline after TechCrunch alerted the company responsible.
The system, known as Tabiq, is operated by Japan-based tech startup Reqrea. According to the company’s website, Tabiq is used by hotels to check guests in using facial recognition and document scanning technology.
Independent security researcher Anurag Sen discovered the exposed data earlier this week and contacted TechCrunch to help report the issue. Sen said the leak happened because Reqrea had set an Amazon cloud storage bucket used by Tabiq to store customer data as publicly accessible. Anyone with a web browser could view the files without a password if they knew the bucket name, “tabiq.”
After TechCrunch contacted Reqrea and Japan’s cybersecurity coordination team, JPCERT, the company locked down the exposed storage bucket.
The incident highlights a familiar cybersecurity problem where companies expose sensitive customer data not through advanced hacking, but through basic mistakes such as cloud misconfigurations and poor security practices. While artificial intelligence and new cyber threats often dominate security headlines, many large data exposures still happen because of human error or failure to follow standard cybersecurity safeguards.
Reqrea director Masataka Hashimoto confirmed the exposure in an email to TechCrunch, saying the company is carrying out a detailed review with support from external legal counsel and other advisors to determine the full scope of the incident.
Reqrea said it does not yet know how the storage bucket became public. Amazon cloud storage buckets are private by default, and Amazon has added multiple warning prompts over the years to prevent customers from accidentally making data publicly accessible.
Hashimoto said Reqrea plans to notify affected individuals after completing its investigation. It is still unclear whether anyone other than Sen accessed the exposed data before the bucket was secured. The company is reviewing logs to check whether there was any unauthorized access before the issue was fixed.
Details of the exposed storage bucket were also recorded by GrayHatWarfare, a searchable database that indexes publicly visible cloud storage. The listing showed files dating back to early 2020 and as recently as this month, including identity documents belonging to travelers from different countries.
The Tabiq incident follows other recent cases involving exposed government-issued documents. Earlier this year, TechCrunch reported that driver’s licenses, passports, and other identity documents uploaded by users of money transfer service Duc App were exposed. A separate breach at car rental company Hertz last year also resulted in hackers stealing driver’s license information from at least 100,000 customers.
The latest exposure comes as governments and businesses increasingly rely on identity verification systems, age-verification checks, and know-your-customer processes that require people to upload sensitive documents to third-party services. Security experts have repeatedly warned that such systems can create serious privacy risks when companies fail to protect the data properly. Data leaks involving passports, driver’s licenses, and selfie photos can increase the risk of identity fraud and misuse of a person’s likeness.





