A hotel check-in system has left more than a million passports, driver’s licenses and customer verification photos online open after a security flaw. The data is now offline after TechCrunch alerted the company responsible.
hotel entry system, It’s called a applicationis maintained by a technology startup based in Japan RCRIA. According to its website, the app is being used in many hotels across Japan and relies on facial recognition and document scanning to check in guests.
Independent security researcher Anurag Sen I contacted TechCrunch earlier this week after discovering that the system was leaking sensitive documents of hotel guests from around the world. That’s because the startup has set one of the storage buckets hosted on Amazon’s cloud, which the check-in system uses to store customer data, to be publicly available, Sen said. The data contained within it can be viewed by anyone using a web browser, without the need for a password, by knowing only the name of the container: “normal”.
Sen alerted TechCrunch in an attempt to help notify the company. Reqrea shut down the storage pool after TechCrunch reached out to both the company and the Japanese cybersecurity coordination team, Gespert.
This latest lapse highlights a recurring problem of companies exposing or leaking their customers’ personal information and sensitive documents – not through sophisticated attacks, but through failure to follow basic cybersecurity practices. Aside from the recent hype around AI-discovered vulnerabilities and new cybersecurity capabilities, significant security incidents often stem from human error, misconfigurations, or failure to adhere to cybersecurity best practices.
In an email acknowledging the exposure, Reqrea director Masataka Hashimoto told TechCrunch: “We are conducting a comprehensive review with support from outside legal counsel and other advisors to determine the full scope of the exposure.”
Rakaria said she did not know how the storage bucket became public. By default, Amazon cloud repositories are private. After a series of exposed customer storage buckets a few years ago, Amazon added several warnings to customers before releasing the data to the public, making this kind of lapse much harder to happen accidentally.
Hashimoto told TechCrunch that the company plans to notify affected individuals once it has completed its investigation.
It remains unclear whether anyone other than Sen accessed the exposed data before it was secured. Hashimoto said the company is reviewing its records to determine if there was any authorized access before securing the bucket.
Details of the exposed bucket were also captured by GrayHatWarfarea searchable database that indexes publicly visible cloud storage. The collection list contains files dating from early 2020 until recently this month, and included identity documents for visitors from countries around the world.
The downfall of the hotel’s check-in system comes on the heels of other incidents involving sensitive government-issued documents. Earlier this year, TechCrunch reported on the revelation of driver’s licenses, passports, and other identity documents uploaded by customers of money transfer service Duc App. A data breach at car rental service Hertz last year led to hackers stealing driver’s license information belonging to at least 100,000 customers.
These incidents come at a time when governments are increasingly introducing age verification laws and private companies are using KYC checks to verify a person’s identity. Both rely on adults uploading sensitive documents, often to a third-party company, for verification, despite criticism from cybersecurity experts. Data lapses can put people whose information is taken at risk of identity fraud or misuse of their images as age verification requirements are imposed around the world.
When you buy through links in our articles, we may earn a small commission. This does not affect our editorial independence.
