A hotel’s check-in system left more than 1 million customer passports, driver’s licenses and selfie verification photos on the open web after a security breach. The data is now offline after TechCrunch alerted the company responsible.
The hotel check-in system, called tabiqis maintained by the Japan-based tech startup Require. According to its website, Tabiq is used in several hotels in Japan and relies on facial recognition and document scanning to register guests.
Independent security researcher Anurag Sen He contacted TechCrunch earlier this week after discovering that the system was leaking confidential documents from hotel guests around the world. Sen said this was because the startup configured one of its Amazon cloud-hosted storage repositories, which the check-in system uses to store customer data, to be publicly accessible. Anyone using a web browser could see the data it contains, without needing a password, simply by knowing the name of the repository: “tabiq”.
Sen alerted TechCrunch in an effort to help notify the company. Reqrea blocked the storage bucket after TechCrunch contacted both the company and Japan’s cybersecurity coordination team. JPCERT.
This latest error highlights a recurring problem of companies exposing or disclosing their customers’ personal information and confidential documents, not through sophisticated attacks, but by failing to follow basic cybersecurity practices. Apart from a recent rumors of vulnerabilities discovered by AI and new cybersecurity capabilitiesMajor security incidents are often due to human error, misconfigurations, or failure to follow cybersecurity best practices.
In an email acknowledging the exposure, Reqrea director Masataka Hashimoto told TechCrunch: “We are conducting a thorough review with the support of outside legal counsel and other advisors to determine the full scope of the exposure.”
Reqrea said he does not know how the storage warehouse became public. By default, Amazon cloud storage buckets are private. After a series of exposed customer storage buckets a few years ago, Amazon added several warnings to customers before data can be made public, making this type of lapse increasingly difficult to accidentally commit.
Hashimoto told TechCrunch that the company plans to notify affected people once it has completed its investigation.
It is unclear whether anyone other than Sen accessed the exposed data before it was secured. Hashimoto said the company is reviewing its records to determine if there was any authorized access before securing the deposit.
Details of the exposed cube were also captured by GrayHatWara searchable database that indexes publicly viewable cloud storage. The deposit list contains files dating from early 2020 to this month, and includes identity documents of visitors from countries around the world.
The failure of the hotel’s check-in system comes after other incidents involving confidential government-issued documents. Earlier this year, TechCrunch reported on the exposure of driver’s licenses, passports, and other ID documents uploaded by customers of Duc application of money transfer service. TO Data breach at Hertz car rental service last year saw hackers steal the driver’s license information of at least 100,000 customers.
These incidents come at a time when governments are increasingly implementing age verification laws and private companies are using “know your customer” checks to verify a person’s identity. Both rely on adults uploading sensitive documents, often to an outside company, for verification, despite criticism from cybersecurity experts. Data breaches can put people whose information was taken at greater risk of identity fraud or having their image misused as an age verification requirement. establish itself around the world.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
