A hotel check-in system left more than one million customer passports, driver’s licenses, and selfie verification photos to the open web after a security lapse. The data is now offline after TechCrunch alerted the company responsible.

The hotel check-in system, called Tabiq, is maintained by the Japan-based tech startup Reqrea. According to its website, Tabiq is used in several hotels across Japan and relies on facial recognition and document scanning to check guests in.

Independent security researcher Anurag Sen contacted TechCrunch earlier this week after discovering that the system was leaking the sensitive documents of hotel guests from around the world. Sen said this was because the startup set one of its Amazon cloud-hosted storage buckets, which the check-in system uses to store customer data, to be publicly accessible. The data inside could be viewed by anyone using a web browser, without needing a password, by knowing only the bucket name: “tabiq.” 

Sen alerted TechCrunch in an effort to help in notifying the company. Reqrea locked down the storage bucket after TechCrunch reached out to both the company and Japan’s cybersecurity coordination team, JPCERT.

This latest lapse underscores a recurring problem of companies exposing or spilling their customers’ personal information and sensitive documents — not through sophisticated attacks, but by failing to follow basic cybersecurity practices. Aside from a recent buzz of AI-discovered vulnerabilities and new cybersecurity capabilities, oftentimes sizable security incidents stem from human error, misconfigurations, or failing to adhere to cybersecurity best practices.

In an email acknowledging the exposure, Reqrea director Masataka Hashimoto told TechCrunch: “We are conducting a thorough review with the support of external legal counsel and other advisors to determine the full scope of exposure.”

Reqrea said it does not know how the storage bucket became public. By default, Amazon’s cloud storage buckets are private. After a spate of exposed customer storage buckets a few years ago, Amazon added several warning prompts to customers before data can be made public, making this kind of lapse increasingly hard to do accidentally.

Hashimoto told TechCrunch that the company plans to notify affected individuals once it has completed its investigation. 

It remains unclear whether anyone other than Sen accessed the exposed data before it was secured. Hashimoto said the company is reviewing its logs to determine if there had been any authorized access prior to securing the bucket.

Details of the exposed bucket were also captured by GrayHatWarfare, a searchable database that indexes publicly visible cloud storage. The bucket listing contains files dating back to early 2020 up to as recently as this month, and included identity documents of visitors from countries around the world.

The hotel check-in system lapse follows other incidents involving sensitive government-issued documents. Earlier this year, TechCrunch reported on the exposure of driver’s licenses, passports, and other identity documents uploaded by customers of money transfer service Duc App. A data breach at car rental service Hertz last year saw hackers make off with driver’s license information belonging to at least 100,000 customers.

These incidents come at a time when governments are increasingly rolling out age verification laws and private businesses are using “know your customer” checks to verify a person’s identity. Both rely on adults uploading sensitive documents, often to a third-party company, for verification, despite criticisms from cybersecurity experts. Data lapses can put people whose information was taken at greater risk of identity fraud or having their likeness misused as age verification requirements take hold around the world.