"The bucket was publicly accessible without a password; Amazon cloud storage defaults to private."
A hotel check-in system, Tabiq, maintained by Japan-based Reqrea, left over 1 million customer identity documents (passports, driver's licenses, and selfie verification photos) publicly accessible on an Amazon cloud storage bucket named "tabiq." Independent security researcher Anurag Sen discovered the exposure and alerted TechCrunch, which contacted Reqrea and Japan's cybersecurity team JPCERT. Reqrea secured the bucket after notification.
Key Details
- The bucket contained files dating from early 2020 to the present, including identity documents from visitors worldwide.
- The bucket was publicly accessible without a password, despite Amazon cloud storage defaults being private.
- Reqrea director Masataka Hashimoto stated the company is reviewing logs to determine if anyone else accessed the data.
- The bucket was also indexed by GrayHatWarfare, a searchable database of public cloud storage.
Background
- This incident follows similar exposures at money transfer service Duc App and car rental Hertz.
- Governments are increasing age-verification and "know your customer" requirements, which rely on uploading sensitive documents.
- Cybersecurity experts criticize such practices due to the risk of identity fraud.
Statements
"We are conducting a thorough review with the support of external legal counsel and other advisors to determine the full scope of exposure."
— Masataka Hashimoto, Reqrea Director
Hashimoto noted the company plans to notify affected individuals after the investigation.