A hotel check-in system called Tabiq, used by hotels in Japan, left over one million customer passports, driver's licenses, and selfie verification photos exposed on the open web due to a security lapse. The sensitive data is now offline after security researcher Anurag Sen alerted TechCrunch, which then notified the company responsible, as TechCrunch reports.The exposed data belonged to users of Tabiq, a system maintained by Japanese tech startup Reqrea that utilizes facial recognition and document scanning for hotel check-ins. Sen discovered that Reqrea had configured one of its Amazon cloud storage buckets, named "tabiq," to be publicly accessible, allowing anyone with the bucket name to view its contents without authentication. Reqrea has since secured the storage bucket after being contacted by TechCrunch and Japan's cybersecurity coordination team, JPCERT. Reqrea director Masataka Hashimoto stated the company is investigating the full scope of the exposure and does not know how the bucket became public.This incident highlights a common issue where basic cybersecurity misconfigurations, rather than sophisticated attacks, lead to significant data breaches. The lapse occurred despite Amazon's default private settings and warning prompts for public bucket configurations. It is unclear if unauthorized parties accessed the data before it was secured, and Reqrea is reviewing logs to determine this. The exposed data, dating back to early 2020, included identity documents from global visitors. This follows similar incidents involving exposed identity documents from other services, occurring as age verification and "know your customer" requirements increase the reliance on sensitive document uploads.Source: TechCrunch
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds




