A hotel check-in system used by hotels in Japan reportedly exposed more than 1 million customer identity documents on the open web, including passports, driver’s licenses, and selfie verification photos.
The exposed data came from Tabiq, a hotel check-in system maintained by Japan-based startup Reqrea. The system is used by several hotels in Japan and relies on document scanning and facial recognition to verify guests during check-in.
The Hotel Check-In System has now been fixed, but the incident raises serious concerns about how hotels and third-party verification companies handle sensitive guest data.
What Happened?
According to the report, the exposed data was stored in an Amazon cloud storage bucket used by the Tabiq check-in system.
The bucket was publicly accessible, which means anyone with a web browser could view the files if they knew the bucket name. No password was required.
Independent security researcher Anurag Sen discovered the Hotel Check-In System Exposed and contacted TechCrunch to help notify the company. After TechCrunch reached out to Reqrea and Japan’s cybersecurity coordination team, JPCERT, the storage bucket was locked down.
What Data Was Exposed?
The exposed files included highly sensitive customer information, such as:
- Passport images
- Driver’s license images
- Selfie verification photos
- Identity documents from travelers around the world
This type of data is especially risky because it can be used for identity theft, fraud, fake account creation, or other forms of misuse.
Unlike a leaked email address or phone number, a passport or driver’s license is much harder to replace and can create long-term problems for affected users.
Who Was Behind the Hotel Check-In System?
The hotel check-in system is called Tabiq and is operated by Reqrea, a Japan-based technology startup.
Tabiq is designed to help hotels check in guests using facial recognition and document scanning. This kind of system is becoming more common as hotels and travel companies try to make check-ins faster and more automated.
However, this incident shows the risk of collecting sensitive documents if the company storing them does not protect the data properly.
Why Was the Data Public?
The exposed information was stored in an Amazon-hosted cloud storage bucket. According to the report, the bucket had been set to public access.
Amazon cloud storage buckets are private by default, and Amazon has added multiple warnings to prevent accidental public exposure. That makes this type of mistake harder to make by accident, but it can still happen through misconfiguration or human error.
Reqrea said it does not yet know how the storage bucket became public and is investigating the issue.
Also read;
X Launches New History Tab 2026 for Bookmarks, Likes, Videos, and Articles
Anthropic Pushes Claude Deeper Into Legal AI as Competition Heats Up
Bravo Brings Unscripted Microdramas to Peacock as Short-Form Streaming Gets Bigger
Android and iPhone Texts Can Finally Get End-to-End Encryption
What Did Reqrea Say?
Reqrea director Masataka Hashimoto said the company is conducting a full review with external legal counsel and advisors to understand the complete scope of the exposure.
The company also said it plans to notify affected individuals after its investigation is complete.
At this stage, it is still unclear whether anyone other than the security researcher accessed the exposed data before it was secured. Reqrea is reviewing logs to check whether there was any unauthorized access.
Why This Breach Is Serious
The Hotel Check-In System incident is serious because the exposed data includes government-issued identity documents and face verification images.
That combination can be dangerous. If passport or driver’s license images are combined with selfie photos, criminals may be able to use them for identity fraud or to bypass online verification systems.
This is especially concerning because more companies now require users to upload ID documents for age checks, customer verification, hotel stays, travel bookings, financial services, and account security.
The Bigger Problem With ID Verification
More businesses are asking customers to upload passports, driver’s licenses, or selfies for verification. This is often called KYC, or “Know Your Customer.”
The problem is that users are being asked to trust many different companies with some of their most sensitive personal data.
If those companies fail to secure their systems properly, customers can face serious privacy risks. Even one misconfigured cloud storage bucket can expose thousands or millions of documents.
This is why cybersecurity experts often warn that companies should collect only the data they truly need and protect it with strong security controls.
What Affected Users Should Watch For
People who may have used hotels connected to this system should stay alert for possible identity misuse.
They should watch for:
- Unusual account activity
- Unexpected verification emails
- Suspicious financial activity
- New accounts opened in their name
- Messages asking for more personal information
- Travel or identity-related alerts
If someone believes their passport or driver’s license may have been exposed, they should follow official guidance from their local government or ID-issuing authority.
Why Cloud Misconfigurations Keep Happening
This was not described as a sophisticated hack. Instead, it appears to be a security lapse caused by exposed cloud storage.
Cloud misconfigurations are a common problem because companies often store large amounts of data online but may not properly manage permissions.
A single wrong setting can make private files visible to the public internet. That is why companies must regularly audit cloud storage, limit access, encrypt sensitive files, and monitor for accidental exposure.
What Hotels and Tech Vendors Should Learn
Hotels and travel tech companies should treat customer identity documents as extremely sensitive data.
They should:
- Store documents only when absolutely necessary
- Limit who can access customer files
- Use encryption for sensitive records
- Regularly audit cloud permissions
- Delete documents when they are no longer needed
- Monitor for public exposure
- Notify affected users quickly if a breach happens
The travel industry depends on trust. When hotels collect passports and IDs, customers expect that data to be protected carefully.
Conclusion
The Tabiq hotel check-in system exposure is a major reminder that convenience and security must go together.
Automated hotel check-ins can make travel easier, but they also involve sensitive data such as passports, driver’s licenses, and facial verification photos. If that data is not properly secured, customers can face real privacy and identity risks.
Reqrea has now locked down the exposed storage bucket and is investigating the full scope of the incident. But the larger lesson is clear: companies collecting identity documents must protect them with the highest level of care.
What hotel check-in system exposed customer documents?
The system is called Tabiq, a hotel check-in platform maintained by Japan-based startup Reqrea.
What kind of data was exposed?
The exposed data included passports, driver’s licenses, selfie verification photos, and other identity documents from hotel guests.
How many documents were exposed?
More than 1 million customer identity documents were reportedly exposed online.
How did the data become public?
The data was stored in an Amazon cloud storage bucket that had been set to public access, allowing files to be viewed without a password.
Who discovered the exposed data?
Independent security researcher Anurag Sen discovered the exposure and contacted TechCrunch to help notify the company.
Has the exposed data been secured?
Yes, Reqrea locked down the exposed storage bucket after being contacted by TechCrunch and Japan’s cybersecurity coordination team, JPCERT.
Did hackers access the exposed documents?
It is currently unclear whether anyone other than the security researcher accessed the data before it was secured. Reqrea is reviewing logs to investigate.
Why is this data exposure dangerous?
Passports, driver’s licenses, and selfie verification photos can be misused for identity theft, fraud, fake account creation, or bypassing online identity checks.
What should affected users do?
Affected users should monitor their accounts, watch for suspicious activity, and follow official guidance from their local ID or passport authority if they believe their documents were exposed.
Why do hotel systems collect passport and license photos?
Many hotels use identity documents for guest verification, legal compliance, and automated check-in systems. However, companies must secure this data carefully.