RSS

Hotel check-in system exposed 1M passports and driver's licenses

p_stuart821 pts0 comments

A hotel check-in system left a million passports and driver's licenses open for anyone to see | TechCrunch

SearchSubmit

Site Search Toggle

Mega Menu Toggle

Topics

Latest

AI

Amazon

Apps

Biotech & Health

Climate

Cloud Computing

Commerce

Crypto

Enterprise

EVs

Fintech

Fundraising

Gadgets

Gaming

Google

Government & Policy

Hardware

Instagram

Layoffs

Media & Entertainment

Meta

Microsoft

Privacy

Robotics

Security

Social

Space

Startups

TikTok

Transportation

Venture

More from TechCrunch

Staff

Events

Startup Battlefield

StrictlyVC

Newsletters

Podcasts

Videos

Partner Content

TechCrunch Brand Studio

Crunchboard

Contact Us

Image Credits: Bryce Durbin / TechCrunch

Security

A hotel check-in system left a million passports and driver’s licenses open for anyone to see

Zack Whittaker

11:51 AM PDT · May 15, 2026

A hotel check-in system left more than one million customer passports, driver’s licenses, and selfie verification photos to the open web after a security lapse. The data is now offline after TechCrunch alerted the company responsible.

The hotel check-in system, called Tabiq, is maintained by the Japan-based tech startup Reqrea. According to its website, Tabiq is used in several hotels across Japan and relies on facial recognition and document scanning to check guests in.

Independent security researcher Anurag Sen contacted TechCrunch earlier this week after discovering that the system was leaking the sensitive documents of hotel guests from around the world. Sen said this was because the startup set one of its Amazon cloud-hosted storage buckets, which the check-in system uses to store customer data, to be publicly accessible. The data inside could be viewed by anyone using a web browser, without needing a password, by knowing only the bucket name: "tabiq."

Sen alerted TechCrunch in an effort to help in notifying the company. Reqrea locked down the storage bucket after TechCrunch reached out to both the company and Japan’s cybersecurity coordination team, JPCERT.

This latest lapse underscores a recurring problem of companies exposing or spilling their customers’ personal information and sensitive documents — not through sophisticated attacks, but by failing to follow basic cybersecurity practices. Aside from a recent buzz of AI-discovered vulnerabilities and new cybersecurity capabilities, oftentimes sizable security incidents stem from human error, misconfigurations, or failing to adhere to cybersecurity best practices.

In an email acknowledging the exposure, Reqrea director Masataka Hashimoto told TechCrunch: "We are conducting a thorough review with the support of external legal counsel and other advisors to determine the full scope of exposure."

Reqrea said it does not know how the storage bucket became public. By default, Amazon’s cloud storage buckets are private. After a spate of exposed customer storage buckets a few years ago, Amazon added several warning prompts to customers before data can be made public, making this kind of lapse increasingly hard to do accidentally.

Hashimoto told TechCrunch that the company plans to notify affected individuals once it has completed its investigation.

It remains unclear whether anyone other than Sen accessed the exposed data before it was secured. Hashimoto said the company is reviewing its logs to determine if there had been any authorized access prior to securing the bucket.

Details of the exposed bucket were also captured by GrayHatWarfare, a searchable database that indexes publicly visible cloud storage. The bucket listing contains files dating back to early 2020 up to as recently as this month, and included identity documents of visitors from countries around the world.

The hotel check-in system lapse follows other incidents involving sensitive government-issued documents. Earlier this year, TechCrunch reported on the exposure of driver’s licenses, passports, and other identity documents uploaded by customers of money transfer service Duc App. A data breach at car rental service Hertz last year saw hackers make off with driver’s license information belonging to at least 100,000 customers.

These incidents come at a time when governments are increasingly rolling out age verification laws and private businesses are using "know your customer" checks to verify a person’s identity. Both rely on adults uploading sensitive documents, often to a third-party company, for verification, despite criticisms from cybersecurity experts. Data lapses can put people whose information was taken at greater risk of identity fraud or having their likeness misused as age verification requirements take hold around the world.

Topics

age verification, cybersecurity, data exposure, Exclusive, Security

When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.

Zack Whittaker

Security Editor

Zack Whittaker is the security editor at TechCrunch. He also...

techcrunch check system security data hotel

Related Articles

Elevated error rates on requests to multiple models

recroad9 ptsclaude incident islands rates elevated error

Donald Trump and sons to be 'forever' exempt from tax audits

doener9 ptsdigital access newsletters premium financial times

PopuLoRA: Co-Evolving LLM Populations for Reasoning Self- Play

AMavorParker8 ptstasks model training self populora play

Old Reddit Is Down

Crunsher7 ptsdata autoplay videoplayerelement comments function false

The ultimate female fantasy – A feminist critique of Beauty and the Beast

muge6 ptsbeast story paglia beauty older butler
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.