A Japan-based startup left more than a million hotel guests’ passports, driver’s licenses and facial verification photos sitting wide open on the public internet. The lapse required no clever hack. Just one misconfigured Amazon storage bucket. And it stayed that way for years.
The system in question is Tabiq. Developed by Reqrea, it streamlines guest arrivals at several Japanese hotels through document scanning and facial recognition. Guests upload their government IDs. The platform matches faces to photos. Then it stores everything. Or at least it did until an independent researcher spotted the open data last week.
Anurag Sen found the exposed Amazon S3 bucket named simply “tabiq.” No password. No authentication. Anyone who knew the bucket name could browse the files in a standard web browser. The contents stretched back to early 2020 and included scans from visitors across dozens of countries. Passports. Driver’s licenses. Selfies taken for identity checks. All there for the taking.
Sen reached out to TechCrunch instead of going public immediately. The publication contacted Reqrea and Japan’s cybersecurity coordination center JPCERT. Within hours the bucket was locked down. The data vanished from public view. But the damage window had been open far too long.
Reqrea director Masataka Hashimoto acknowledged the exposure in an email. “We are conducting a thorough review with the support of external legal counsel and other advisors to determine the full scope of exposure,” he wrote, according to TechCrunch. The company says it does not know how the bucket became public. Amazon sets buckets to private by default and has added multiple warnings before users can flip them open. Yet the error happened anyway.
Hashimoto added that Reqrea plans to notify affected guests once its investigation finishes. The firm is checking access logs to learn whether others viewed the files before Sen’s discovery. Those answers matter. Because this incident is not isolated.
Travel companies hold sensitive identity data at scale. They do so through sprawling networks of partners, vendors and cloud services. That structure creates repeated weak points. Earlier in 2026 a money-transfer app called Duc exposed customer driver’s licenses and passports through similar cloud storage mistakes, TechCrunch reported. Hertz suffered a breach last year that let hackers walk away with at least 100,000 customers’ license details.
Booking.com’s troubles offer another angle. In April the platform warned users that unauthorized parties had accessed reservation data including names, addresses, phone numbers and private messages with hotels. The company reset PIN codes and urged vigilance against follow-on scams. Criminals used the details to impersonate properties and request payments or extra information. Malwarebytes noted the pattern: attackers often compromise hotel partners rather than the booking site itself. The travel sector’s reliance on third-party tools turns each vendor into a potential entry point.
So the Tabiq case fits a larger picture. Governments push age-verification rules and know-your-customer processes. Businesses respond by collecting high-resolution copies of official documents. Many hand that responsibility to startups promising fast, automated check-ins. The convenience sells. The security assumptions rarely get tested until something breaks.
Reqrea’s platform promised efficiency. Hotels could scan IDs, verify faces and move guests through faster. Yet the storage layer received less attention. One public bucket exposed the entire archive. Files from this month sat alongside records from 2020. The volume exceeded one million documents.
Security experts have warned about cloud misconfigurations for years. Databases indexed by services such as GrayHatWarfare regularly catalog open buckets. Tabiq’s appeared there too. The exposure was discoverable by anyone running routine scans. That reality should alarm every operator using similar setups.
And the consequences stretch beyond embarrassment. Exposed passports enable identity theft on a serious scale. Fraudsters can open accounts, cross borders or build synthetic identities. Selfies add biometric risk. Once a face is paired with a name and document number, deepfake creation becomes simpler. Hotels and their tech partners now sit at the center of these new attack surfaces.
Japan’s hotels using Tabiq must now answer guest questions. So must Reqrea. The company has engaged legal counsel. It reviews logs. It prepares notifications. But the delay in alerting individuals raises compliance questions in jurisdictions with strict breach-notification timelines. Under rules such as GDPR, high-risk incidents demand prompt disclosure.
Recent X discussions echo the frustration. One post called it “the third major ID document exposure in 2026,” linking Duc, Hertz and now Tabiq. Another researcher noted the recurring theme: firms collect sensitive files, park them in cloud storage and skip basic protections. The pattern holds even as regulators tighten rules around biometric and identity data.
Hashimoto’s statement leaves several details unresolved. How exactly did the bucket flip to public? Were access controls ever tested? Did the company conduct regular audits of its storage configuration? Those answers may surface in the final report. For now the focus remains on containment and notification.
The incident also highlights tension in facial-recognition deployments for hospitality. Proponents argue the technology reduces fraud and speeds service. Critics point to the permanent record created when every guest’s likeness is stored alongside official IDs. A single error turns that record into a liability for millions.
Travelers, meanwhile, face practical choices. They can limit shared data. They can ask hotels what third-party systems handle their documents. They can monitor credit reports and account alerts after any known exposure. Yet many have little leverage when a booking platform or hotel vendor demands scans.
Reqrea built Tabiq to solve a real operational problem. Contactless check-in gained traction during the pandemic and never fully receded. Demand for automated verification remains high. The question now is whether the industry will treat data protection with matching seriousness.
Because basic errors should not expose a million identity documents in 2026. The tools exist to prevent it. The warnings are loud. Yet the bucket stood open. Anyone could look. That fact alone demands closer scrutiny of every vendor touching guest IDs.
Industry insiders have seen this movie before. Cloud storage slips. Delayed notifications. Promises of future reviews. The difference this time is scale and sensitivity. Passports are not email addresses. Their compromise carries long-term risk. Hotels, startups and regulators must treat them that way.


WebProNews is an iEntry Publication