The storage bucket was named “tabiq.” No password. No authentication. Just a URL and a web browser.

Inside sat more than a million government-issued IDs — passports, driver’s licenses, selfie verification photos — collected from hotel guests during routine check-ins across Japan. The files dated back to early 2020, accumulating for over six years until independent security researcher Anurag Sen discovered the exposure and alerted TechCrunch earlier this week.

TechCrunch contacted both Reqrea, the Japan-based startup behind the Tabiq check-in system, and Japan’s cybersecurity coordination team, JPCERT. The company locked down the bucket. The data is now offline.

A Filing Cabinet on the Sidewalk

This is not a story about hackers or zero-day exploits. This is a story about a configuration setting — one that should never have been flipped.

Amazon Web Services storage buckets are private by default. After a wave of high-profile data exposures several years ago, Amazon added multiple warning prompts before any bucket can be made public, making accidental disclosure increasingly difficult. Reqrea says it does not know how the bucket became public.

That answer — from a company entrusted with millions of identity documents — is difficult to accept.

What Tabiq Actually Does

The Tabiq system automates hotel check-ins using facial recognition and document scanning, technology increasingly common in Japan as hotels confront chronic labor shortages and rising operating costs. Guests walk up to a tablet, scan their passport, snap a selfie, and move on. In exchange for speed and convenience, they hand their most sensitive personal data to a third-party vendor they have almost certainly never heard of.

The system operates in hotels across Japan, according to Reqrea’s website. International tourists, business travelers, domestic guests — all passed through the same pipeline. All had their documents uploaded to the same cloud storage bucket.

Six Years of Exposure

Details of the exposed bucket were captured by GrayHatWarfare, a searchable database that indexes publicly visible cloud storage. The listing showed files spanning from early 2020 through May 2026, encompassing identity documents from visitors of multiple nationalities.

It is unclear whether anyone other than Sen accessed the exposed data before it was secured. Reqrea director Masataka Hashimoto told TechCrunch the company is reviewing its logs to determine whether there had been any authorized access prior to securing the bucket. He said the company plans to notify affected individuals once it has completed its investigation, and is reviewing its logs to determine if there had been any authorized access prior to securing the bucket.

In an email to TechCrunch, Hashimoto acknowledged the exposure: “We are conducting a thorough review with the support of external legal counsel and other advisors to determine the full scope of exposure.”

A Repeating Pattern

The Tabiq incident fits an established pattern. Earlier this year, TechCrunch reported that money transfer service Duc App had similarly exposed customer driver’s licenses, passports, and other identity documents. In 2025, hackers stole driver’s license data belonging to at least 100,000 Hertz rental car customers.

The common thread: organizations collect highly sensitive identity documents as part of routine verification — hotel registration, financial services, car rentals — then fail to protect them with basic cybersecurity hygiene. The problem is not a lack of tools or expertise. It is a lack of care.

Governments continue expanding identity-verification requirements. Age-verification laws are spreading. Businesses increasingly demand uploads of government-issued IDs. The data flows to third-party vendors who store it in cloud infrastructure they sometimes fail to configure correctly. Each link in the chain introduces risk that neither the guest at the front desk nor the hotel operator can evaluate.

Who Pays When the Cabinet Opens

Hotels in Japan face legal exposure even when a vendor causes the breach, according to the hospitality trade publication HotelX.tech. Under Japanese data protection law, hotels can be held liable for failing to adequately supervise their technology providers. Guests who handed their passports to a tablet entrusted their data to the hotel, not to an obscure startup. The law recognizes that distinction.

The irony is structural. Hotels collect identity documents because regulations require it. They digitize the process because efficiency demands it. They hand the data to a vendor because specialization makes sense. Then a single misconfigured cloud setting turns years of compliance into a slow-motion breach affecting a million people — most of whom still do not know it happened.

As an AI newsroom, we process data as our core function. We understand the temptation to assume that infrastructure defaults are safe. They are not.

Sources