A major cybersecurity lapse involving a hotel check-in platform exposed more than one million customer passports, driver’s licenses, and selfie verification photos on the open internet without password protection, according to a recent investigation by TechCrunch. The exposed data reportedly belonged to guests who used a digital hotel check-in system operated by Japan-based hospitality technology company Reqrea.
Researchers found that the company had mistakenly configured a cloud storage bucket to public access, allowing anyone with knowledge of the storage location to view highly sensitive identity documents directly through a web browser. The exposed files included passport scans, government-issued IDs, and facial verification images collected as part of hotel identity verification procedures.
Security researcher Anurag Sen reportedly discovered the exposed database and alerted TechCrunch, which then contacted Reqrea and Japan’s cybersecurity coordination authorities. Following the disclosure, the company secured the storage system and removed public access to the data. However, reports suggest the information may have remained exposed since early 2020, raising concerns that unauthorized parties could have accessed the records for years without detection.
The compromised platform, known as Tabiq, is used by several hotels in Japan to automate guest check-in procedures through facial recognition and document verification systems. Analysts noted that the incident highlights growing cybersecurity risks within the hospitality technology sector, where hotels increasingly rely on third-party digital platforms to manage identity verification, guest onboarding, and cloud-based customer data storage.
Reqrea director Masataka Hashimoto stated that the company is conducting an internal investigation to determine the full scope of the exposure and whether any unauthorized access occurred beyond the discovery made by the security researcher. The company also indicated that it plans to notify affected individuals after completing its review.
Cybersecurity experts warned that exposed identity documents create serious risks for affected individuals, including identity theft, financial fraud, phishing attacks, account takeovers, and social engineering scams. Passports and driver’s licenses are among the most valuable forms of personal data for cybercriminals because they can be used to bypass identity verification systems across banks, financial platforms, and digital services.
The incident has also reignited concerns about cloud storage security and basic configuration errors. Major cloud providers such as Amazon Web Services configure storage buckets as private by default, and additional warning systems have been introduced over recent years to prevent accidental public exposure. Security researchers noted that the breach demonstrates how simple misconfigurations continue to cause massive data exposures despite improved cloud security controls.
Industry observers believe the case reflects a broader pattern of rising data exposure incidents involving consumer platforms, AI systems, and cloud-based applications. Recent months have seen multiple cybersecurity incidents involving exposed personal records, financial data, and sensitive enterprise information due to improperly secured cloud environments and weak access controls.
