HomeIntelligenceBrief
BREACH BRIEF🟠 High Breach

Public Amazon S3 Bucket Exposes Over 1 Million Guest Passports and IDs from Japanese Hotel Platform Tabiq

A misconfigured Amazon S3 bucket used by the Tabiq hotel check‑in platform leaked more than one million passports, driver’s licenses, and selfie verification photos. The breach underscores the critical need for third‑party risk programs to enforce strict cloud‑configuration controls and rapid breach‑notification clauses.

LiveThreat™ Intelligence · 📅 May 19, 2026· 📰 securityaffairs.com
🟠
Severity
High
BR
Type
Breach
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
3 recommended
📰
Source
securityaffairs.com

Public Amazon S3 Bucket Exposes Over 1 Million Guest Passports, IDs, and Selfies from Japanese Hotel Platform Tabiq

What Happened — A misconfigured Amazon S3 bucket used by the Tabiq hotel‑check‑in system was left publicly accessible, allowing anyone to download more than 1 million guest documents—including passports, driver’s licenses, and selfie verification photos—from early 2020 to May 2026.

Why It Matters for TPRM

  • Cloud‑storage misconfigurations can expose personally identifiable information (PII) at massive scale, creating regulatory and reputational risk for both the SaaS provider and its hotel clients.
  • Third‑party risk programs must verify that vendors enforce proper bucket policies, encryption, and continuous monitoring to prevent accidental public exposure.
  • The breach highlights the need for contractual clauses requiring prompt breach notification and evidence of regular security‑configuration audits.

Who Is Affected — Hospitality & tourism (hotels, resorts), travel‑tech platforms, and any downstream service that processes guest identity data; potentially millions of travelers worldwide.

Recommended Actions

  • Review contracts with Tabiq/Reqrea to ensure cloud‑configuration controls, encryption‑at‑rest, and audit‑log retention are mandated.
  • Request evidence of recent security‑configuration scans and remediation processes for all third‑party cloud storage.
  • Add a clause for immediate breach notification and support for forensic investigation.

Technical Notes — The exposure resulted from a publicly readable S3 bucket (“tabiq”) that lacked bucket‑policy restrictions and server‑side encryption. No known CVE was exploited; the vector was a simple misconfiguration. Exposed data types: passports, driver’s licenses, national ID cards, and selfie images used for facial‑verification. Source: SecurityAffairs

📰 Original Source
https://securityaffairs.com/192302/data-breach/public-amazon-bucket-leaks-sensitive-guest-data-from-japanese-hotel-platform-tabiq.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Misconfigurations are control gaps in disguise.

Verisq AI Trust Operations turns findings like this into mapped controls with continuous evidence, keeping your audit readiness current instead of point-in-time.

Map your controls with Verisq AI Trust Operations →