A Hotel Check‑In System Left 1 Million Passports and Driver’s Licenses Open for Anyone to See

Imagine you are packing for a well‑deserved vacation. You hand over your passport at a hotel front desk, trust the system, and later swipe your driving licence for verification. Months after returning home, you receive a call about a suspicious bank account opened in your name. How did this happen? Your identity documents never left your sight, yet fraudsters halfway across the world now hold digital copies of them.

This is not a hypothetical scenario. It is exactly what happened to more than one million travellers whose personal data was left exposed on the open internet by a hotel check‑in system called Tabiq.

The system, built by the Japan‑based startup Reqrea, is used by several hotels across Japan. It relies on facial recognition and document scanning to automate guest check‑ins. A serious security lapse allowed anyone with a web browser to access passports, driver’s licences and selfie verification photos without needing a password. The bucket contained files dating back to early 2020, meaning the exposure may have gone unnoticed for more than five years.

This article breaks down what happened, how the leak was discovered, why it matters for Indian travellers, and how you can protect yourself from identity theft.

Read also: Russian Hackers Tried to Take Over Signal Accounts - Here's How to Save Yours

How the Leak Happened: A Cloud Bucket Left Open

The breach was not the result of a sophisticated cyber‑attack. It was a simple, avoidable configuration error.

Reqrea used an Amazon Web Services (AWS) S3 bucket to store guest data collected by the Tabiq check‑in system. AWS buckets are set to private by default and come with multiple warning prompts before any data can be made public. Yet, for reasons the company still cannot explain, the bucket named “tabiq” was configured to be publicly accessible.

Independent security researcher Anurag Sen discovered this leak earlier this week. He found that anyone who knew the bucket’s name could view its contents directly in a web browser – no password, no special access required. The exposed data included:

• Passports – complete with names, dates of birth, passport numbers and photographs.
• Driver’s licences – containing home addresses, licence numbers and dates of birth.
• Selfie verification photos – taken by guests to confirm their identity via facial recognition.

Because Tabiq is used by hotels in Japan, the leaked documents belong to guests from all over the world – including Indian travellers. The bucket listed files from early 2020 up to May 2026, meaning the data of anyone who checked in using the system over the past five years could be at risk.

Read also: WhatsApp Now Has an 'Incognito Mode' for AI. Finally, You Can Ask That Question.

How the Researcher Helped – and What Happened Next

Anurag Sen did not exploit the leak. He contacted TechCrunch to help notify the company responsibly. TechCrunch then reached out to Reqrea and Japan’s cybersecurity coordination team, JPCERT. Soon after, Reqrea locked down the storage bucket and took the exposed data offline.

In an email acknowledging the exposure, Reqrea director Masataka Hashimoto told TechCrunch: “We are conducting a thorough review with the support of external legal counsel and other advisors to determine the full scope of exposure”.

The company said it does not know how the bucket became public. It is now reviewing its logs to determine whether anyone other than the researcher accessed the data before it was secured. TechCrunch also noted that the bucket was indexed by GrayHatWarfare, a searchable database that tracks publicly visible cloud storage. This means that even if no individual accessed the bucket directly, the files may have been catalogued and could still be accessible through third‑party archives.

Reqrea has promised to notify affected individuals once its investigation is complete. However, it remains unclear how long the files were exposed or whether malicious actors already downloaded copies.

Read also: Your Private Instagram Chats Are No More Private: Meta Pulls the Plug on End-to-End Encryption From May 8

Why This Matters for Indian Travellers

India is one of the largest sources of international tourists visiting Japan. Every year, hundreds of thousands of Indian travellers fly to Japan for business, leisure and study. If any of them used Tabiq for hotel check‑in, their passports and other identity documents could be among the exposed files.

The risks are not theoretical. Passport numbers, driving licence details and selfie images can be used to:

• Open bank accounts or apply for loans in your name.
• Create fake identity documents that pass basic verification checks.
• Perform social‑engineering attacks on your family, employer or bank.
• Sell your personal data on the dark web to other criminals.

For Indian citizens, the exposure of passport information is particularly dangerous. Passports are the gold standard of identity proof. With a scanned copy of your passport, fraudsters can attempt to obtain visas, register companies, or even link mobile connections in your name.

The incident also raises serious questions under India’s Digital Personal Data Protection (DPDP) Act, 2023. The DPDP Act requires companies collecting personal data of Indian citizens to implement reasonable security safeguards. A public cloud bucket storing over one million identity documents without password protection is the exact opposite of “reasonable security”. It is a clear violation of data fiduciary obligations.

Read also: Runway Started By Helping Filmmakers. Now It Wants To Beat Google At AI.

A Recurring Problem: Companies Keep Making the Same Mistake

This is not an isolated incident. TechCrunch has reported similar exposures of driver’s licences and passports from a money transfer service, Duc App, as well as a data breach at car rental company Hertz. In almost every case, the root cause is not a sophisticated hack – it is a basic misconfiguration of cloud storage.

Cybersecurity experts have long warned about the dangers of “open bucket” exposures. These incidents happen when companies fail to apply even the most elementary security settings. Amazon has added multiple warning prompts to prevent accidental public exposure, yet such lapses continue to occur.

For the hospitality industry, the growing use of facial recognition and digital identity systems adds another layer of risk. Hotels are increasingly collecting sensitive personal data to speed up contactless check‑ins, but many lack the security infrastructure to protect that data. Guests are often unaware that their identity documents are being stored online at all – let alone in an unsecured bucket.

Read also: Notion Just Turned Your Workspace Into a Hub for AI Agents. Here's How It Works.

What You Can Do to Protect Yourself

If you have visited Japan in the past five years and used a digital hotel check‑in kiosk, follow these steps immediately:

1. Check your passport. Look for any unauthorised entries or stamps. If your passport was exposed, fraudsters could attempt to apply for visas or open accounts in your name.
2. Monitor your credit reports. In India, you can obtain free credit reports from CIBIL, Experian, Equifax or CRIF High Mark. Look for any loans or credit cards you did not apply for.
3. Enable bank alerts. Set up SMS and email alerts for every transaction. The sooner you spot unauthorised activity, the easier it is to dispute it.
4. Be cautious of unsolicited calls. Scammers may use your leaked personal details to impersonate bank officials, travel agents or government employees. Never share OTPs or PINs over the phone.
5. Watch for visa or passport renewal scams. Fraudsters may contact you claiming your passport needs “urgent renewal” and demand payment.
6. Report any suspicious activity. If you believe your identity has been stolen, file a report on the National Cyber Crime Reporting Portal (cybercrime.gov.in) and contact your local police station.

There is no fool‑proof way to “un‑expose” data once it has been leaked. However, early detection and vigilant monitoring can minimise the damage.

Read also: NVIDIA CEO Joins Trump’s China Mission - A Wake-Up Call for India’s Semiconductor Dreams

Call for Stronger Data Protection in the Hospitality Industry

The Tabiq breach is a wake‑up call for the entire hospitality industry. Hotels and technology vendors cannot treat identity documents as ordinary business data. A passport is not the same as a customer’s email address. It is a permanent, irreplaceable credential that, once compromised, can haunt a person for a lifetime.

Companies that process identity documents must:

• Never store raw passport or driving licence images in public cloud buckets without encryption and strict access controls.
• Conduct regular security audits to detect misconfigurations before researchers find them.
• Limit data retention to the minimum necessary period. There is no justification for retaining selfie verification photos from 2020 in an active bucket.
• Notify affected individuals promptly when a breach occurs – not weeks or months later.

Regulators also need to act. The DPDP Act must be enforced vigorously against companies that violate the “reasonable security” requirement. Penalties should be severe enough to make data protection a board‑level priority, not an afterthought.

Read also: Airbnb CEO Brian Chesky says AI writes 60 percent of new code and pure people managers may not survive the AI era.

The Bottom Line

More than one million passports, driver’s licences and selfie verification photos were left exposed on the open internet because a hotel check‑in system vendor failed to apply basic cloud security settings. The data may have been accessible for over five years. It may have been downloaded by unknown parties. It may already be in the hands of fraudsters.

Indian travellers who visited Japan during this period are at risk. There is no magic fix. The damage cannot be undone. But you can take steps to protect yourself – monitor your credit reports, watch for phishing scams and report suspicious activity immediately.

The next time you hand over your passport at a hotel reception or upload a selfie for verification, ask a simple question: Where is my data going, and is it safe? The answer may determine whether your next vacation ends with a fraud alert instead of a souvenir.

Read also: The AI Legal Services Industry Is Heating Up. Anthropic Is Getting In on the Action.

FAQ

Q: How do I know if my passport was exposed? 

A: Tabiq was used in several hotels across Japan. If you visited Japan between early 2020 and May 2026 and used a digital check‑in system that scanned your passport and took a selfie, there is a chance your data was exposed. Reqrea has promised to notify affected individuals once its investigation is complete.

Q: Is there a way to check if my passport number is being misused? 

A: You cannot run a search for your passport number on the dark web. However, you can monitor your credit reports for unauthorised accounts. You can also enable SMS alerts on your passport, driving licence and Aadhaar number where such services are available.

Q: Can fraudsters use my passport photo to create fake identity documents? 

A: Yes. A scanned copy of a genuine passport is valuable for forgery. Fraudsters can replace the photo or alter the details to create a fake document that may pass low‑level verification checks.

Q: Does India’s DPDP Act cover this incident? 

A: Yes. The DPDP Act applies to any company that processes personal data of Indian citizens, regardless of where the company is based. If Reqrea processed the passport or driving licence of an Indian citizen, it is subject to the DPDP Act’s security and breach‑notification requirements.

Q: What should the Indian government do? 

A: The Data Protection Board should investigate this incident and consider penalising Reqrea under the DPDP Act. Additionally, the Ministry of Electronics and IT (MeitY) should issue guidelines requiring hotels and travel vendors operating in India to implement mandatory security audits for any system that stores identity documents.

Tags: Tabiq Breach, Reqrea Data Leak, Hotel Guest Data Breach, Passport Data Exposure, Data Privacy, Cyber Security