A Startup Left Your Passport Sitting Wide Open

Reqrea, a Japan-based tech startup, operates a hotel check-in system called Tabiq. It uses facial recognition and document scanning to process hotel guests. That means it holds some of the most sensitive personal data on the planet — passports, driver's licenses, selfie photos.

All of it was sitting in an Amazon cloud storage bucket named, simply, "tabiq." No password. Publicly accessible. Viewable by anyone with a browser who knew the bucket name.

According to TechCrunch, independent security researcher Anurag Sen discovered the exposure and contacted TechCrunch earlier in the week of May 15, 2026. The data is now offline — but only after TechCrunch alerted both Reqrea and Japan's cybersecurity coordination team, JPCERT.

More than 1 million customer records were exposed.

This Wasn't a Hack. It Was Stupidity.

There was no sophisticated foreign adversary. No zero-day exploit. No elite criminal operation.

Someone at Reqrea configured an Amazon S3 bucket to be publicly accessible and apparently didn't notice — or didn't care. Amazon, after a wave of similar incidents years ago, added multiple warning prompts specifically to prevent this kind of mistake. You have to actively override them.

Reqrea director Masataka Hashimoto told TechCrunch the company "does not know" how the bucket became public. The company was holding a million people's government IDs.

The exposed bucket was also indexed by GrayHatWarfare, a searchable database that catalogs publicly visible cloud storage. So it wasn't just theoretically accessible — it was findable.

Nobody Knows Who Else Was In There

Hashimoto told TechCrunch the company is reviewing logs to determine if anyone accessed the data before Sen discovered it. That review may or may not produce useful answers.

Passive data grabs leave minimal traces. Someone could have downloaded every file in that bucket and Reqrea might never know. The company says it will notify affected individuals once its investigation is complete. For travelers whose passport photos and ID scans may already be in someone else's hands, that notification comes too late.

Why Do Hotels Have All This Data Anyway?

According to Mashable's reporting on similar incidents, hotels collect identity documents primarily because governments require it — not because chains want to build surveillance databases.

Katie Moussouris, CEO of LutaSecurity, said: "A lot of the motivation behind it is for law enforcement purposes." Hotels in many countries are legally required to record guest identification so local authorities can track movements if needed.

Marriott told Mashable when asked about its own data practices that passport collection is "governed in part by country, state or, in some cases, city-specific regulations." Japan is no exception — hotels there routinely scan IDs as a legal compliance measure.

The problem isn't that the data exists. The problem is that companies like Reqrea collect it, store it in the cloud, and treat it like it's disposable.

This Is Part of a Pattern the Industry Refuses to Fix

This is not a one-off story. According to TechRadar, a separate incident involved hackers stealing hotel guest data and leaking it on Telegram. The Cybernews source referenced a Best Western parent company warning guests about a six-month reservation system breach — six months before anyone noticed.

And then there's the granddaddy: the Marriott-Starwood breach, reported in late 2018, exposed the unencrypted passport numbers of more than 5 million guests over four years. The primary suspect, according to U.S. investigators, was the Chinese government. Those passport numbers aren't just personally embarrassing — they're intelligence gold for tracking dissidents, journalists, diplomats, and business travelers.

Four years. Unencrypted. Five million passports. China.

And here we are in 2026 with a startup leaving a million IDs in a bucket named after itself.

Regulatory Failure

Most tech media is treating this as a routine "oops, misconfigured cloud bucket" story. The broader issue is regulatory failure. If governments mandate that hotels collect passport-level identity data, they need to mandate security standards for how that data is stored. Right now there are essentially none with teeth.

Tabiq is marketed to hotels across Japan. The exposed data almost certainly includes foreign nationals — tourists, business travelers, potentially government officials — whose home countries have no recourse under Japanese data protection law.

A small startup with apparently no security culture is building facial recognition check-in systems for hotels in the first place.

What This Means for You

If you've stayed at a hotel in Japan recently and used an automated check-in kiosk, your passport scan may have been in that bucket. You likely won't know for certain until — or if — Reqrea completes its investigation and sends notifications.

A passport scan cannot be un-leaked. Biometric photos cannot be recalled. If this data was accessed, it is gone permanently.

The hospitality industry keeps collecting the most sensitive documents people carry. It keeps storing them carelessly. And it keeps getting caught only after researchers or journalists stumble onto the mess.