Unbiased AI-powered news
A Japan-based startup's misconfigured Amazon cloud storage bucket left sensitive guest identity documents from hotels using its Tabiq system publicly accessible for years. Independent researcher Anurag Sen discovered the exposure and alerted TechCrunch, prompting the company to secure the data.
onemileatatime.comMore than one million customer passports, driver’s licenses, and selfie verification photos from a hotel check-in system called Tabiq were left publicly accessible on the open web. The Japan-based tech startup Reqrea, which maintains Tabiq, had set one of its Amazon cloud-hosted storage buckets to be publicly accessible.
The exposure occurred because the bucket named “tabiq” allowed anyone using a web browser to view the data without needing a password by knowing only the bucket name.
Independent security researcher Anurag Sen discovered that the Tabiq system was leaking sensitive documents of hotel guests from around the world. Sen contacted TechCrunch earlier this week. TechCrunch alerted the company responsible for the exposure and also reached out to Japan’s cybersecurity coordination team, JPCERT.
Reqrea locked down the storage bucket after those notifications. The data exposure has been taken offline. Details of the exposed bucket were captured by GrayHatWarfare, a searchable database that indexes publicly visible cloud storage.
The bucket listing contains files dating back to early 2020 up to as recently as May 2026. Tabiq is used in several hotels across Japan. According to its website, the system relies on facial recognition and document scanning to check guests in.
Reqrea said it does not know how the storage bucket became public. Amazon’s cloud storage buckets are private by default. Hashimoto told TechCrunch that the company plans to notify affected individuals once it has completed its investigation.
Hashimoto said the company is reviewing its logs to determine if there had been any unauthorized access prior to securing the bucket. It remains unclear whether anyone other than Sen accessed the exposed data before it was secured. TechCrunch reported that this latest lapse follows other incidents involving sensitive government-issued documents.
Earlier this year, TechCrunch reported on the exposure of driver’s licenses, passports, and other identity documents uploaded by customers of money transfer service Duc App. A data breach at car rental service Hertz last year saw hackers make off with driver’s license information belonging to at least 100,000 customers.
These incidents come at a time when governments are increasingly rolling out age verification laws and private businesses are using “know your customer” checks to verify a person’s identity.
Both rely on adults uploading sensitive documents, often to a third-party company, for verification. Data lapses can put people whose information was taken at greater risk of identity fraud or having their likeness misused as age verification requirements take hold around the world.
Single source — no framing comparison available.
news.sky.comThe European Commission is reviewing expert recommendations for phased restrictions on children's social media access. President Ursula von der Leyen said new legislation could be proposed after the summer.
The European Union sanctioned nine people and four entities on July 13, 2026. Britain sanctioned 24 people and entities the same day over a network active since 2010.
globalnews.caTwenty-two member states pledged 30 to 35 gigawatts of new capacity by 2028 under the bloc's first tripartite deal. The European Commission will oversee annual progress tracking through 2028 as part of the Affordable Energy Plan.