TL;DR
A hotel check-in system called Tabiq, maintained by Reqrea in Japan, left over one million customer documents exposed due to a cloud storage misconfiguration. The company has now secured the data after TechCrunch alerted them. The incident raises concerns about data security in customer verification processes.
A hotel check-in system in Japan, operated by the startup Reqrea, left over one million passports, driver’s licenses, and selfie verification photos accessible to anyone on the internet due to a cloud storage misconfiguration. The company has since secured the data following notification from TechCrunch, highlighting ongoing cybersecurity vulnerabilities in customer verification systems.
The system, called Tabiq, relies on facial recognition and document scanning to facilitate hotel check-ins across several establishments in Japan. Security researcher Anurag Sen discovered that Reqrea’s Amazon cloud storage bucket named ‘tabiq’ was publicly accessible, allowing anyone with knowledge of the bucket name to view sensitive customer data without authentication.
Reqrea responded by locking down the bucket after TechCrunch’s intervention, which involved notifying both the company and Japan’s cybersecurity authority, JPCERT. The exposed data includes documents from customers worldwide dating back to early 2020, and the company has not yet confirmed whether any unauthorized access occurred before the data was secured.
Why It Matters
This incident underscores the persistent risk of data breaches caused by simple misconfigurations, especially in systems handling sensitive personal information. Such lapses can lead to identity theft, fraud, and misuse of biometric data, raising concerns over the security of customer verification processes used globally by hotels and other industries.
It also highlights the importance of strict cybersecurity practices, especially given the increasing reliance on digital identity verification, which often involves uploading sensitive documents. The incident may prompt stricter oversight and review of data security protocols in similar systems.
HERO Neck Wallet – RFID Blocking Passport Holder, Easy to Conceal Travel Pouch (Army Grey)
LIFETIME REPLACEMENT GUARANTEE – We individually test every HERO Neck Wallet in the USA before shipping. And every…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background
In recent years, several high-profile data breaches have involved identity documents, including a breach at car rental firm Hertz and a leak involving a money transfer service, Duc App. The incident with Reqrea’s system follows a pattern of companies exposing customer data through misconfigured cloud storage, despite Amazon’s efforts to prevent such lapses with warning prompts. The exposure of over one million documents marks a significant escalation in the scale of such vulnerabilities, especially in the hospitality sector.
“We are conducting a thorough review with the support of external legal counsel and other advisors to determine the full scope of exposure.”
— Masataka Hashimoto, Reqrea director
“The data inside the bucket could be viewed by anyone using a web browser, without needing a password, by knowing only the bucket name.”
— Anurag Sen, independent security researcher
Epson Workforce ES-50 Portable Sheet-Fed Document Scanner for PC and Mac
Fastest and lightest mobile single sheet fed document scanner in its class(1) small, portable scanner ideal for easy,…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What Remains Unclear
It remains unclear whether any unauthorized access occurred before the data was secured or if any data was downloaded or misused. The company is reviewing logs to determine if there had been any prior access, but details are still emerging.
Brother DS-640 Compact Mobile Document Scanner, (Model: DS640)
FAST SPEEDS – Scans color and black and white documents a blazing speed up to 16ppm (1). Color…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What’s Next
Reqrea is expected to complete its investigation and notify affected individuals once the scope of the exposure is fully understood. The company may also implement additional security measures and undergo external audits to prevent future lapses. Regulatory authorities could also scrutinize the incident, potentially leading to sanctions or increased oversight.
SaiTech IT 5 Pack RFID Blocking Card, One Card Protects Entire Wallet Purse, NFC Contactless Bank Debit Credit Card Protector ID ATM Guard Card Blocker–(Black)
SECURE YOUR WALLET FROM e-PICKPOCKETING: Prevent potential identity and financial theft through your contactless cards. Don’t become a…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
How did the data become exposed?
The data was exposed due to a misconfiguration of the company’s Amazon cloud storage bucket, which was set to be publicly accessible without authentication.
Are any individuals affected by this breach?
It is not yet confirmed whether affected individuals have been notified or if any data was accessed or downloaded before the bucket was secured.
What types of documents were exposed?
The exposed data included passports, driver’s licenses, and selfie verification photos from customers around the world, dating back to 2020.
What steps is Reqrea taking now?
The company has secured the data, is reviewing its logs, and plans to notify affected individuals after completing its investigation. It may also review its security protocols to prevent future incidents.
Could this happen again?
While Amazon has added warnings to prevent accidental public exposure, human error and misconfigurations can still occur, underscoring the need for ongoing vigilance and security audits.
