Major Data Breach Exposes Over 1 Million Passport and ID Documents in Hotel Check-In System
A significant security failure at Tabiq, a digital hotel check-in platform operated by Japan-based startup Reqrea, exposed over one million sensitive identity documents online without password protection. The breach, uncovered by independent security researcher Anurag Sen, revealed unsecured Amazon cloud storage containing passports, driver’s licenses, and facial verification selfies from hotel guests worldwide.
The exposed data used by hotels across Japan for contactless check-ins included names, addresses, dates of birth, passport numbers, and photographs, raising serious risks of identity theft and fraud. While the company secured the database after being alerted, it remains unclear how long the files were exposed or whether unauthorized parties accessed them.
The incident highlights persistent vulnerabilities in improperly configured cloud storage, a recurring issue in cybersecurity. It also underscores growing concerns over facial recognition and digital identity systems in hospitality, as hotels increasingly adopt automated verification processes.
This breach arrives amid heightened scrutiny of companies handling personal identity documents, particularly as digital verification expands globally.
Reqrea TPRM report: https://www.rankiteo.com/company/reqrea
"id": "req1778992020",
"linkid": "reqrea",
"type": "Breach",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Over 1 million hotel guests '
'worldwide',
'industry': 'Hospitality/Technology',
'location': 'Japan',
'name': 'Tabiq (operated by Reqrea)',
'type': 'Digital hotel check-in platform'}],
'attack_vector': 'Improperly configured cloud storage',
'data_breach': {'number_of_records_exposed': 'Over 1 million',
'personally_identifiable_information': ['Names',
'Addresses',
'Dates of birth',
'Passport numbers',
'Photographs'],
'sensitivity_of_data': 'High (PII, biometric data)',
'type_of_data_compromised': ['Passports',
'Driver’s licenses',
'Facial verification selfies']},
'description': 'A significant security failure at Tabiq, a digital hotel '
'check-in platform operated by Japan-based startup Reqrea, '
'exposed over one million sensitive identity documents online '
'without password protection. The breach, uncovered by '
'independent security researcher Anurag Sen, revealed '
'unsecured Amazon cloud storage containing passports, driver’s '
'licenses, and facial verification selfies from hotel guests '
'worldwide. The exposed data included names, addresses, dates '
'of birth, passport numbers, and photographs, raising serious '
'risks of identity theft and fraud. While the company secured '
'the database after being alerted, it remains unclear how long '
'the files were exposed or whether unauthorized parties '
'accessed them.',
'impact': {'brand_reputation_impact': 'High',
'data_compromised': 'Over 1 million sensitive identity documents',
'identity_theft_risk': 'High',
'legal_liabilities': 'Potential',
'systems_affected': 'Digital hotel check-in platform (Tabiq)'},
'lessons_learned': 'Persistent vulnerabilities in improperly configured cloud '
'storage and growing concerns over facial recognition and '
'digital identity systems in hospitality.',
'post_incident_analysis': {'root_causes': 'Improperly configured cloud '
'storage'},
'references': [{'source': 'Independent security researcher Anurag Sen'}],
'response': {'containment_measures': 'Database secured after being alerted'},
'title': 'Major Data Breach Exposes Over 1 Million Passport and ID Documents '
'in Hotel Check-In System',
'type': 'Data Breach',
'vulnerability_exploited': 'Unsecured Amazon cloud storage without password '
'protection'}