A significant security breach has occurred in the Tabiq hotel check-in system, exposing over one million customer passports, driver’s licenses, and selfie verification photos. This sensitive information was accessible on the open web due to a misconfiguration in the cloud storage settings managed by Reqrea, a tech startup based in Japan.
Independent security researcher Anurag Sen discovered the vulnerability and alerted TechCrunch, leading to the data being taken offline. The issue arose when Reqrea set one of its Amazon cloud storage buckets to public access, allowing anyone with the bucket name to view the contents without a password.
Following the alert, Reqrea promptly secured the storage bucket. The company is currently conducting a thorough review to understand the scope of the exposure, with support from external legal counsel. Director Masataka Hashimoto stated that the company is investigating how the bucket became public, as Amazon's cloud storage is typically private by default.
This incident highlights a recurring issue in cybersecurity where companies inadvertently expose sensitive customer data due to basic misconfigurations rather than sophisticated attacks. The breach raises concerns about the security of personal information, especially as businesses increasingly rely on third-party services for identity verification.
Hashimoto mentioned that the company plans to notify affected individuals once the investigation is complete. However, it remains uncertain whether anyone besides Sen accessed the exposed data before it was secured. The logs are being reviewed to determine any unauthorized access prior to the fix.
Details of the exposed bucket were also indexed by GrayHatWarfare, revealing files dating back to early 2020, which included identity documents from various countries. This incident is part of a troubling trend, as earlier this year, similar exposures occurred involving identity documents from customers of the Duc App and a data breach at Hertz.
As governments implement age verification laws and businesses adopt stringent identity checks, the risks associated with data exposure continue to grow. Such lapses can lead to increased risks of identity fraud and misuse of personal information.
