Public Amazon S3 Bucket Exposes Over 1 Million Guest Passports, IDs, and Selfies from Japanese Hotel Platform Tabiq
What Happened — A misconfigured Amazon S3 bucket used by the Tabiq hotel‑check‑in system was left publicly accessible, allowing anyone to download more than 1 million guest documents—including passports, driver’s licenses, and selfie verification photos—from early 2020 to May 2026.
Why It Matters for TPRM —
- Cloud‑storage misconfigurations can expose personally identifiable information (PII) at massive scale, creating regulatory and reputational risk for both the SaaS provider and its hotel clients.
- Third‑party risk programs must verify that vendors enforce proper bucket policies, encryption, and continuous monitoring to prevent accidental public exposure.
- The breach highlights the need for contractual clauses requiring prompt breach notification and evidence of regular security‑configuration audits.
Who Is Affected — Hospitality & tourism (hotels, resorts), travel‑tech platforms, and any downstream service that processes guest identity data; potentially millions of travelers worldwide.
Recommended Actions —
- Review contracts with Tabiq/Reqrea to ensure cloud‑configuration controls, encryption‑at‑rest, and audit‑log retention are mandated.
- Request evidence of recent security‑configuration scans and remediation processes for all third‑party cloud storage.
- Add a clause for immediate breach notification and support for forensic investigation.
Technical Notes — The exposure resulted from a publicly readable S3 bucket (“tabiq”) that lacked bucket‑policy restrictions and server‑side encryption. No known CVE was exploited; the vector was a simple misconfiguration. Exposed data types: passports, driver’s licenses, national ID cards, and selfie images used for facial‑verification. Source: SecurityAffairs