The entrance to the hotel left a million passports and driver’s licenses open for all to see

The hotel’s check-in system left more than a million customers’ passports, driver’s licenses, and selfies on the open page after security breached. The content is now offline after TechCrunch warned the company.

The entrance to the hotel, called Tabiqit is maintained by a technology startup from Japan Reqrea. According to its website, Tabiq is used in several hotels across Japan and relies on facial recognition and document scanning to identify guests.

An independent researcher Anurag Sen contacted TechCrunch earlier this week after it discovered that the system was leaking sensitive documents from visitors from around the world. Sen said this is because the startup made its Amazon cloud storage buckets, which login systems use to store customer data, to be publicly available. The content can be viewed by any browser user, without needing a password, knowing only the name of the container: “tabiq.”

Sen alerted TechCrunch to help raise awareness of the company. Reqrea closed the storage container after TechCrunch reached out to the company and Japan’s cybersecurity coordination group, JPCERT.

The latest breach highlights the ever-present problem of companies exposing or losing their customers’ data and sensitive documents – not because of technical attacks, but because they failed to follow basic cyber security measures. Besides a the latest buzz The risks identified by AI are new cybersecurity skillsmost of the time major security incidents stem from human error, inconsistency, or failure to follow best online security practices.

In an email acknowledging the disclosure, Reqrea CEO Masataka Hashimoto told TechCrunch: “We are conducting a thorough investigation with the help of outside legal counsel and other consultants to determine the extent of the disclosure.”

Reqrea said he did not know how the storage container became exposed. By default, Amazon’s cloud storage buckets are private. After the proliferation of customer storage containers a few years ago, Amazon added a number of warnings to customers before they were made public, making this type of outage more difficult to do by accident.

Hashimoto told TechCrunch that the company plans to notify those affected after it completes its investigation.

It is unclear whether anyone other than Sen had access to the leaked information before it was secured. Hashimoto said the company is reviewing its logs to determine if there was a legitimate opportunity before taking the container.

Details of the transparent container were also drawn by GreyHatWarfarea search engine that publicly points to cloud storage. This bucket list contains files from early 2020 to as recently as this month, and includes documents from visitors from countries around the world.

Completion of the hotel system following certain events related to the well-known documents issued by the government. Earlier this year, TechCrunch reported on the disclosure of driver’s licenses, passports, and other documents that were uploaded by customers. Duc App money transfer service. A data breach at car rental company Hertz last year saw hackers get away with the driver’s license information of at least 100,000 customers.

The developments come at a time when governments are increasingly enforcing age-verification laws and small businesses are using “know your customer” checks to verify a person’s identity. Both rely on authorities uploading sensitive documents, often to a third-party company, for verification, despite opposition from cyber security experts. Data breaches can put people whose information was taken at greater risk of fraud or misuse of their identity for age verification. living all over the world.