A hotel check-in system operated by Japan-based startup Reqrea left more than one million customer passports, driver’s licenses, and selfie verification photos openly accessible on the internet, TechCrunch reported on May 15, 2026. The data has since been secured after TechCrunch alerted the company.
The system, called Tabiq, is used at several hotels across Japan and relies on facial recognition and document scanning to check guests in. Independent security researcher Anurag Sen discovered that Reqrea had configured one of its Amazon cloud storage buckets — named simply “tabiq” — to be publicly accessible. Anyone with a web browser and knowledge of the bucket name could view the sensitive files inside without a password.
Sen contacted TechCrunch to help notify the company. Reqrea locked down the storage bucket after TechCrunch reached out to both the company and Japan’s cybersecurity coordination team, JPCERT. The exposed files dated from early 2020 through May 2026 and included identity documents from visitors from countries around the world. The bucket’s contents had also been indexed by GrayHatWarfare, a searchable database of publicly visible cloud storage.
Reqrea director Masataka Hashimoto told TechCrunch: “We are conducting a thorough review with the support of external legal counsel and other advisors to determine the full scope of exposure.” The company said it does not know how the bucket became public, noting that Amazon’s cloud storage is private by default and that Amazon has added warning prompts to make accidental public exposure harder. Hashimoto said Reqrea plans to notify affected individuals once its investigation is complete. It remains unclear whether anyone other than Sen accessed the data before it was secured.
The incident is part of a broader pattern of companies exposing sensitive identity documents through misconfigurations rather than sophisticated attacks. Similar lapses have affected customers of money transfer service Duc App and, in a separate breach, driver’s license data belonging to at least 100,000 Hertz customers. Cybersecurity experts have raised concerns that the growing use of identity document uploads for age verification and “know your customer” checks may put people at greater risk of identity fraud when such data is mishandled.
Source: TechCrunch