Hotel check-in system left a million passports open on the internet

A hotel check-in system used across Japan left more than a million passport scans, driving licences and verification selfies sitting on the open internet, accessible to anyone who knew where to look. The exposure was uncovered by a security researcher and reported by TechCrunch.

The platform, called Tabiq, is a facial-recognition check-in service operated by the Japanese startup Reqrea. Its data was stored in an Amazon cloud storage bucket that had been left publicly accessible, meaning the files could be opened in a web browser without any password, simply by knowing the bucket's name.

Misconfigured cloud storage of this kind has become one of the most common causes of large-scale data exposure. Unlike a targeted hack, no break-in is required; the data is simply left in the open by mistake. The danger is that such buckets can be found by automated tools that constantly scan the internet for exactly this kind of oversight.

Self-service check-in kiosks of the sort Tabiq powers have spread quickly through the hospitality industry, promising to cut queues and reduce staffing costs. Many rely on scanning a guest's identity document and matching it to a live photograph, a process that inevitably generates and stores exactly the kind of sensitive material found in this exposure. The convenience of the technology, in other words, depends on accumulating data that becomes a serious liability if it is not protected.

Years of sensitive documents exposed

The cache held highly sensitive material: full passport pages showing passport numbers, dates of birth, nationalities, photographs and home addresses, along with driving licences and the selfie images used for facial-recognition matching. According to the report, the files dated back as far as early 2020 and ran up to May 2026.

The breadth of the data is what makes the exposure so serious. A single leaked email address is a nuisance; a complete passport scan paired with a matching selfie is a near-perfect toolkit for identity theft. Such documents can be used to open accounts, pass identity checks and impersonate victims, and unlike a password they cannot simply be reset.

The exposed records reportedly included a range of deeply personal information:

• Full passport pages with passport numbers and photographs
• Dates of birth and nationalities
• Home addresses
• Driving licences
• Selfie images used for facial-recognition matching

How it came to light

Security researcher Anurag Sen discovered the unsecured database and alerted TechCrunch, which contacted both Reqrea and Japan's national cyber-incident coordination team, JPCERT. The company locked down the storage bucket after being notified.

The episode followed a familiar pattern in responsible disclosure: a researcher finds an exposure, reaches out through a journalist or coordinating body, and the data is secured once the operator is made aware. While the bucket was closed relatively quickly after notification, the files had reportedly been accessible for an extended period, and there is rarely any way to know with certainty whether anyone else found and copied the data first.

“The data could be viewed by anyone using a web browser, without needing a password, by knowing only the bucket name.”

— TechCrunch investigation

Background: a recurring failure

Cloud platforms give companies enormous flexibility, but they also place the burden of secure configuration squarely on the customer. Storage buckets are private by default on major providers, yet they are repeatedly left open through misconfiguration, rushed deployments or a lack of security expertise, particularly at smaller firms. The result is a steady drumbeat of incidents in which sensitive records are found sitting unprotected online.

Facial-recognition and identity-verification services raise the stakes further, because they deliberately collect the most sensitive categories of personal data: government identity documents combined with biometric images. When such a service is breached, the harm to affected individuals can be severe and long-lasting, and the regulatory consequences for the operator can be significant under data-protection laws.

“Biometric data and identity documents are uniquely dangerous to lose, because unlike a password you cannot change your face or reissue your history.”

— Cybersecurity specialist

What it means

The episode is a stark reminder that some of the most damaging data leaks stem not from sophisticated hacking but from simple misconfiguration. Affected travellers face an ongoing risk of fraud that no after-the-fact fix can fully undo, and the case is likely to draw scrutiny from regulators and renewed pressure on companies handling identity documents to audit their cloud security. Exposed government-issued identity documents are a goldmine for fraudsters, and incidents like this have become a recurring theme of 2026.