Tabiq Hotel Check-In System Exposed Over 1 Million Passports and Driver’s Licenses Online

A hotel check-in system called Tabiq left more than 1 million customer passports, driver’s licenses, and selfie verification photos exposed to the open web after a security lapse, according to TechCrunch.

“A hotel check-in system left more than 1 million customer passports, driver’s licenses, and selfie verification photos to the open web after a security lapse”

TechCrunch

TechCrunch reported that the data was now offline after it alerted the Japan-based tech startup Reqrea, which maintains Tabiq and relies on facial recognition and document scanning to check guests in.

TechCrunch

Independent security researcher Anurag Sen said the startup set one of its Amazon cloud-hosted storage buckets to be publicly accessible, and that the data inside could be viewed by anyone using a web browser without needing a password by knowing only the bucket name: “tabiq.”

Zamin.uz also described the exposure as a fault in the Tabiq system, saying passport copies, driver's licenses, and facial-recognition selfies of over a million customers were left exposed on the internet.

After TechCrunch reached out to both Reqrea and Japan’s cybersecurity coordination team, JPCERT, Reqrea locked down the storage bucket, and TechCrunch said it remains unclear whether anyone other than Sen accessed the exposed data before it was secured.

In an email acknowledging the exposure, Reqrea director Masataka Hashimoto told TechCrunch, “We are conducting a thorough review with the support of external legal counsel and other advisors to determine the full scope of exposure.”

The Tech Buzz

TechCrunch reported that Hashimoto said the company plans to notify affected individuals once it has completed its investigation, and that the company is reviewing its logs to determine if there had been any authorized access prior to securing the bucket.

Zamin.uz added that following alerts from TechCrunch and the JPCERT security team, Reqrea secured the database, and that Hashimoto said an investigation into the incident has been launched with external consultants assessing the extent of the data exposure.

TechCrunch said the lapse underscores a recurring problem of companies exposing or spilling their customers’ personal information and sensitive documents “not through sophisticated attacks, but by failing to follow basic cybersecurity practices.”

“A serious security vulnerability has been discovered in the Tabiq hotel check-in system, developed by the Japanese startup Reqrea”

Zamin.uz

TechCrunch also reported that by default, Amazon’s cloud storage buckets are private, and that after a spate of exposed customer storage buckets a few years ago, Amazon added several warning prompts to customers before data can be made public.

Zamin.uz described the issue as not a sophisticated cyberattack, but rather the result of simple human error and failure to follow security protocols, while also noting that Amazon configures its cloud storage to be private by default.

TechCrunch further said details of the exposed bucket were captured by GrayHatWarfare, whose searchable database indexed publicly visible cloud storage with files dating back to early 2020 up to as recently as this month, including identity documents of visitors from countries around the world.