Reading time: 4 min
Table of Contents
Key Takeaways
- Misconfigurations are the root cause: Over 1 million passport, driver’s license, and selfie verification images were exposed because an AWS S3 bucket was left publicly accessible — no password needed, just the bucket name.
- This is a repetitive failure pattern: Time and again, companies expose sensitive data through simple human error or failure to follow basic security practices, not through sophisticated cyberattacks.
- Real-world cost is identity fraud: Stolen government-issued documents feed identity theft and age-verification abuse, especially as more businesses adopt “know your customer” checks without security rigor.
The Misconfiguration That Leaked Everything
A hotel check-in system called Tabiq, maintained by the Japan-based tech startup Reqrea, leaked over one million customer passports, driver’s licenses, and selfie verification photos. The data was accessible to anyone with a web browser — no password, no authentication. Just the bucket name: « tabiq. »
Independent security researcher Anurag Sen spotted the exposure and contacted TechCrunch. After TechCrunch reached out to Reqrea and Japan’s cybersecurity team (JPCERT), the company locked the bucket down. But the damage was done: files dating back to early 2020 up to present day were indexed by GrayHatWarfare, a searchable database for open cloud storage.
This Isn’t a Sophisticated Attack — It’s Ops Failure
Here’s what actually happens in production: most data exposure incidents don’t come from zero-days or nation-state actors. They come from misconfigurations. In this case, the team set an Amazon S3 bucket to public without enforcing default privacy settings.
Reqrea’s director, Masataka Hashimoto, said the company doesn’t know how the bucket became public. That’s the problem. Amazon S3 buckets are private by default, and after a wave of similar exposures years ago, Amazon added multiple warning prompts before data can be made public. The fact that they couldn’t identify how it happened means their internal controls — and their incident response process — are broken.
The Real Cost Is Identity Fraud
This isn’t theory. When 1 million government-issued documents hit the open web, the cost shows up in months and years of identity theft, fraudulent account creation, and liability for both the company and the victims. The exposed data included passports, driver’s licenses, and facial verification images — the exact kind of information that powers age-verification laws and KYC checks globally.
Governments are pushing for more document collection — « know your customer » mandates are spreading. Every time a third-party collects these files, the risk multiplies. One misconfig and you’re bleeding citizen data.
How This Pattern Repeats — and What to Do About It
Most people get this wrong: they think « secure by default » means it’s safe to turn on public access because someone else made that decision. That’s not automation — that’s a liability. The fix is structural:
- Block public buckets at the infrastructure level: Use S3 Block Public Access, AND audit your IAM roles. Default-private means nothing if someone clicks « public » during a demo.
- Automate monitoring: Set up config rules that alert on any bucket becoming public — and trigger an automatic revert. Don’t rely on humans checking logs.
- Treat S3 buckets like production databases: All access should go through application-level controls, not direct bucket access. Every file stored in the cloud should be behind authentication, not just a URL.
The demo worked. Production didn’t. Because the bucket was public from day one, and nobody checked until a researcher found it.
What Comes Next for Reqrea and the Industry
Reqrea says it’s reviewing logs to determine if anyone else accessed the data before it was secured. Hashimoto stated the company will notify affected individuals after the investigation completes. That’s standard procedure, but it’s reactive. The question is: will the company implement guardrails?
The same pattern shows up across verticals — hotels, money transfer services like Duc App, and rental car companies like Hertz. Each time, sensitive documents (driver’s licenses, passports) sit in cloud storage without basic security. The industry keeps repeating the same failure mode, and the cost keeps piling up.
I’ve seen this at Rebirth Distribution. Fragile pipelines — the ones that work until something changes — collapse exactly when you need them most. The fix isn’t more documentation or a single audit. It’s embedding security into the operational flow. Automate. Enforce. Audit. Repeat.