What Actually Happened: A Million Faces and Documents Left Unlocked
Reqrea, a Japanese tech startup, built Tabiq as an AI-powered hotel check-in system that uses facial recognition and document scanning to process guests. Somewhere in that build, someone configured an Amazon cloud storage bucket without access controls, leaving it open to anyone on the internet who knew where to look.
What that exposed: over one million passport photos, driver’s licenses, and selfie verification images belonging to hotel guests from around the world. No password required. No authentication. Just a publicly accessible bucket sitting on the open web.
Security researcher Anurag Sen found it. Not Reqrea. Sen contacted TechCrunch after discovering the exposure, and TechCrunch then alerted the company. The data went offline only after that contact was made.
That sequence matters. Reqrea had no internal process — no automated scanning, no security audit, no monitoring system — that caught this exposure before an outside researcher stumbled across it. The company responsible for storing some of the most sensitive personal data a traveler carries had no mechanism to detect that it was broadcasting that data publicly.
The timeline raises a direct question: how long was the bucket open before Sen found it, and who else accessed it in that window? Passport photos and document scans don’t expire when a breach is discovered. That data can be used to build fake identities, bypass verification systems, or target individuals long after the original exposure ends. Every day the bucket sat open was another day that data was available to anyone — fraud operations, identity thieves, or state-level actors — without any record of who accessed it or when.
Reqrea has not disclosed how long the data was exposed.
What Most Coverage Is Missing: This Is Biometric Data, Not Just a Password Leak
Most coverage of the Tabiq breach led with the number — one million records — and stopped there. That framing misses the point entirely.
Reqrea’s Tabiq system didn’t expose email addresses or hashed passwords. It exposed passport scans, driver’s licenses, and live selfie verification photos — the exact three-part combination that identity verification platforms use to confirm someone is a real person opening a real account. Banks use it. Crypto exchanges use it. Fintech apps use it. A bad actor holding a government ID scan plus a matching facial image can walk straight through those onboarding flows and open accounts in someone else’s name.
That’s what makes this breach categorically different from a credential dump or a stolen credit card number. A compromised password gets reset in two minutes. A compromised credit card gets cancelled and reissued. A passport cannot be changed because someone else now has a photo of it. A face cannot be changed at all. Every person whose data sat in that exposed Amazon S3 bucket carries that risk permanently — not until the next security patch, not until they update their settings, but for the rest of their lives.
The “one million records” headline also obscures what each record actually represents. This wasn’t a database of email addresses where one entry equals one data point. Each record is a complete identity verification package: a government-issued document confirming name, date of birth, nationality, and document number, paired with a biometric image of the person’s face. That package is the skeleton key for modern digital identity systems. One million of them sat publicly accessible on the open web, requiring no credentials to view.
Treating this as a volume story — big number, bad company, data now offline — lets the real danger disappear into statistics. The guests who checked into Tabiq-equipped hotels in Japan handed over that information because the system asked for it. They had no way to evaluate how Reqrea stored it, no warning that it would be left unprotected, and no ability now to undo the exposure.
The AI Check-In Boom: Convenience Sold Without a Security Conversation
Tabiq, a facial recognition and document-scanning check-in platform built by Japan-based startup Reqrea, operates across multiple hotels in Japan and pitches itself as a seamless replacement for the traditional front desk. Guests walk up, scan their passport or driver’s license, submit a selfie, and the system handles the rest. The process takes minutes. The data it collects — government-issued ID images, biometric selfies, personal details — gets stored in Amazon cloud infrastructure and stays there indefinitely.
That data sat exposed to the open internet because Reqrea misconfigured one of its Amazon S3 storage buckets, leaving it publicly accessible without authentication. Independent security researcher Anurag Sen discovered the leak and brought it to TechCrunch, which confirmed that over one million passport scans, driver’s licenses, and selfie verification photos were readable by anyone who knew where to look. No hacking required. No credentials needed.
The guests whose documents were exposed had no realistic way to know this risk existed. Hotels deploying Tabiq don’t hand guests a plain-language disclosure explaining that their biometric data is being uploaded to a third-party cloud system maintained by a startup. The check-in kiosk presents itself as a convenience feature, not a data collection apparatus. The security architecture behind it — who stores the data, on what infrastructure, under what access controls — stays invisible to the person scanning their passport.
This is the core problem with the hospitality industry’s aggressive push toward AI-driven check-in automation. The technology moves fast because it cuts labor costs and appeals to guests who prefer skipping a queue. The security frameworks, disclosure standards, and vendor oversight requirements move far slower. Hotels adopt third-party AI systems and effectively delegate custody of their guests’ most sensitive documents to vendors whose internal security practices they rarely audit in depth. Reqrea’s misconfigured bucket is a direct product of that gap — a startup handling biometric data at scale with infrastructure settings that left a million records exposed.
Who Is Accountable? The Startup, the Hotels, and the Regulatory Gap
Reqrea bears direct responsibility for the misconfiguration that left over one million passport images, driver’s licenses, and selfie verification photos exposed on an open Amazon S3 bucket. The company built Tabiq, deployed it across multiple Japanese hotels, and configured the storage settings that made the breach possible. But accountability does not stop at the startup’s door. Every hotel that integrated Tabiq into its check-in process collected biometric data from guests and handed custody of that data to Reqrea. Under basic data protection principles, those hotels remain co-responsible for ensuring the third-party systems they deploy actually protect guest information.
Japan’s Act on the Protection of Personal Information establishes legal obligations around the handling of sensitive personal data, including biometric identifiers. The law applies here. But enforcement against smaller tech startups has been inconsistent, and Reqrea fits squarely in the category of companies that can fall through the cracks — too small to attract sustained regulatory scrutiny, yet operating infrastructure that processes identity documents at scale across an entire hospitality sector.
The most immediate failure compounds the original one: no public reporting indicates that affected guests have been notified. People whose passport scans and facial images sat exposed on the open web have received no warning, no guidance on steps they can take, and no acknowledgment that their data was compromised. They cannot replace a passport photo or a biometric profile the way they can cancel a credit card. The damage from exposure is permanent, and the silence from Reqrea and the hotels using Tabiq denies guests even the basic ability to assess their own risk.
TechCrunch alerted Reqrea to the exposure, and the data subsequently went offline. That Reqrea required a journalist’s intervention — rather than its own monitoring — to close a publicly accessible bucket holding over a million identity documents signals a security posture that was never adequate for the sensitivity of data the company was handling.
What Travellers Should Know — and Do — Right Now
If you checked into a hotel in Japan using a self-service kiosk or app that scanned your passport, driver’s licence, or took your photo, your data may have passed through Tabiq, Reqrea’s AI-powered check-in platform. Tabiq operates across multiple hotels in Japan and uses facial recognition and document scanning to process guests. More than one million passports, driver’s licences, and selfie verification photos were exposed through an unsecured Amazon cloud storage bucket — visible to anyone with a web browser and the right URL.
The immediate problem for affected guests is that no public list of hotels using Tabiq exists. Reqrea has not published one, and the hotels themselves have not stepped forward. That silence leaves guests with no reliable way to confirm whether their specific data was part of the breach. Reqrea and the hotels that deployed Tabiq need to release that information. Until they do, anyone who used a self-service check-in kiosk or app at a Japanese hotel in recent years should treat their data as potentially compromised.
There are steps worth taking now. Place a fraud alert with credit bureaus in your home country — this makes it harder for someone to open new accounts in your name using your identity documents. Monitor your existing financial accounts closely and watch for any unfamiliar credit inquiries or account-opening activity. If your passport number was exposed, contact your country’s passport issuing authority to flag the number and ask about the process for obtaining a replacement document.
What these steps cannot do is undo the biometric exposure. A facial scan is not a password. You cannot reset your face. If your selfie verification photo was accessed by a malicious actor, that data remains usable for identity spoofing indefinitely. That permanence is exactly what makes biometric breaches categorically more serious than a leaked email address or even a compromised credit card number — and exactly why the absence of direct notification from Reqrea and its hotel partners is unacceptable.
The Bigger Picture: A Warning Sign for Every Industry Adopting AI Verification
Tabiq is not an outlier. Across hospitality, retail, and travel, AI-powered identity verification tools are proliferating at speed, deployed by startups and mid-size vendors that lack the hardened security infrastructure banks and financial institutions spent decades building. Hotels scan faces and passports. Airlines verify travelers at gates. Retail kiosks capture biometric data at checkout. The data collected is more sensitive than a credit card number — and far more permanent.
Reqrea’s misconfigured Amazon S3 bucket exposed this reality in the starkest terms possible. More than one million passports, driver’s licenses, and facial recognition selfies sat open on the public web — not because of a sophisticated attack, but because of a basic configuration error any junior cloud engineer should catch. That gap between ambition and execution is the defining risk of the startup-speed approach to biometric infrastructure. You can cancel a compromised credit card. You cannot issue someone a new face.
The hospitality sector has no equivalent of the Payment Card Industry Data Security Standard — no baseline set of mandatory technical controls that any vendor handling biometric data must meet before going live. The result is a marketplace where hotels outsource identity verification to third-party platforms without the tools or expertise to audit what those vendors actually do with the data. Guests hand over their most sensitive personal information at check-in and have no visibility into who stores it, how it is secured, or whether it is sitting exposed in a misconfigured cloud bucket.
Regulators need to act on this before the scale of the next breach dwarfs this one. Minimum security standards — mandatory encryption, access controls, breach notification timelines, and third-party audits — must apply specifically to any system collecting biometric data at scale. The Tabiq breach is a one-million-record warning. Without enforceable standards, the next exposure will not be measured in millions.
