A mishap in a hotel check-in system has inadvertently exposed over a million sensitive documents, including passports and driver’s licenses, to the public eye. The oversight was rectified after the issue was brought to the attention of the involved company.
The platform in question, Tabiq, is operated by a tech startup based in Japan. Tabiq is designed to facilitate hotel check-ins using advanced technology such as facial recognition and document scanning, utilized by various hotels across the country.
An independent researcher discovered that the Tabiq system was leaking sensitive documents due to a critical configuration mistake. The issue arose from a publicly accessible storage bucket hosted on Amazon’s cloud, allowing anyone who knew the bucket’s name to browse its contents without any password.
After the revelation, the researcher notified the relevant parties to inform the company about the vulnerability. Upon being contacted, the company secured the exposed storage bucket.
This incident highlights a persistent issue where companies inadvertently compromise sensitive customer data—not through advanced hacking methods, but by neglecting fundamental cybersecurity protocols. Recent vulnerabilities linked to AI tools and new cybersecurity initiatives are often overshadowed by such preventable incidents rooted in simple errors or system misconfigurations.
The company stated that it is currently conducting a comprehensive investigation with external legal support to evaluate the full extent of the exposure and is unsure how the storage made itself public, as Amazon typically sets its cloud storage buckets to be private by default. They assured that impacted individuals will be notified after concluding their investigation.
It is still uncertain if any unauthorized users accessed the leaked data prior to its closure, and the company mentioned it would review access logs to detect any possible infractions.
The exposed data was also recorded by GrayHatWarfare, a database that catalogs publicly visible cloud storage. The compromised bucket held files dating from early 2020 up to the present, featuring identity documentation of visitors from various countries.
This breach is part of a troubling pattern of incidents involving sensitive government-issued documents. Previously, similar exposures have involved personal documents from other services, as well as major data breaches affecting a significant number of customers.
With increasing regulations around age-verification and identity checks, these data vulnerabilities pose significant risks to individuals, potentially leading to identity fraud or misuse as such laws take effect globally. The importance of securing sensitive data cannot be overstated.