A hotel’s check-in system left verification photos of more than 1 million customers’ passports, driver’s licenses and selfies on the open web after a security breach. The data is now offline after TechCrunch alerted the company responsible.
The hotel’s check-in system, called Tabiq, is maintained by Japan-based technology startup Reqrea. According to its website, Tabiq is used in several hotels across Japan and uses facial recognition and document scanning to check-in guests.
Anurag Sen, an independent security researcher, contacted TechCrunch earlier this week after discovering that the system was leaking confidential documents of hotel guests around the world. Sen said that’s because the company has made one of Amazon’s cloud-hosted storage buckets that the check-in system uses to store customer data publicly accessible. The internal data can be viewed by anyone using a web browser without the need for a password, as long as they know the bucket name “tabiq”.
Mr. Sen alerted TechCrunch to assist in notifying TechCrunch. Reqrea locked down its storage buckets after TechCrunch contacted both the company and Japan’s cybersecurity coordination team, JPCERT.
This latest blunder highlights the recurring problem of companies exposing or leaking customers’ personal information and confidential documents, not through sophisticated attacks, but by failing to follow basic cybersecurity practices. Aside from the recent buzz about vulnerabilities discovered by AI and new cybersecurity features, large-scale security incidents are often the result of human error, misconfiguration, or failure to adhere to cybersecurity best practices.
In an email confirming the disclosure, Reqrea director Masataka Hashimoto told TechCrunch that “the company is conducting a thorough investigation with the assistance of external legal and other advisors to determine the full scope of the disclosure.”
Reqrea said he did not know how the storage bucket was exposed. By default, Amazon cloud storage buckets are private. After a spate of exposures of customers’ storage buckets a few years ago, Amazon added several warning messages to customers before releasing their data, making it increasingly difficult to accidentally commit this type of blunder.
Hashimoto told TechCrunch that the company plans to notify affected individuals once the investigation is complete.
It remains unclear whether anyone other than Sen had access to the leaked data before it was secured. Hashimoto said the company is examining logs to determine whether there was any authorized access before securing the bucket.
Exposed bucket details were also captured by GrayHatWarfare, a searchable database that indexes publicly available cloud storage. The bucket list contained files dating from the beginning of 2020 to this month, and included identification documents of visitors from around the world.
The lapse in the hotel’s check-in system followed other incidents involving confidential government-issued documents. Earlier this year, TechCrunch reported that driver’s licenses, passports, and other identification documents uploaded by customers of money transfer service Duc App were compromised. Last year’s data breach at rental car service Hertz saw hackers steal driver’s license information for at least 100,000 customers.
These incidents come at a time when the government is introducing age verification laws and private companies are using “Know Your Customer” checks to verify a person’s identity. Despite criticism from cybersecurity experts, both rely on adults uploading sensitive documents that are then uploaded to third-party companies for verification. As age verification requirements take hold around the world, data expiration could put those whose information has been stolen at increased risk of identity fraud and likeness misuse.
If you buy through links in our articles, we may earn a small commission. This does not affect editorial independence.
Source link
