A Hotel Check-In System Left a Million Passports and Driver’s Licenses Open for Anyone to See

The Tabiq incident illustrates a growing trend where basic cloud‑configuration mistakes, rather than sophisticated attacks, cause massive data exposures. By leaving an Amazon S3 bucket publicly accessible, Reqrea inadvertently made sensitive government‑issued documents searchable by anyone with the bucket name. Such oversights are increasingly rare thanks to AWS’s warning prompts, yet they persist, especially among startups scaling rapid identity‑verification services. The breach serves as a cautionary tale for any organization handling personally identifiable information (PII) in the cloud.

For businesses that depend on Know‑Your‑Customer (KYC) checks, the fallout is two‑fold. First, the exposure of passports and driver’s licenses can fuel identity‑theft schemes, as criminals gain authentic documents for fraud or synthetic‑identity creation. Second, the reputational damage erodes consumer trust, potentially prompting regulators to tighten oversight of third‑party data processors. Companies must adopt a zero‑trust stance, encrypting data at rest, enforcing strict bucket policies, and conducting regular audits to detect misconfigurations before they become public.

Industry experts recommend a layered security approach: combine automated configuration scanning tools with manual reviews, enforce least‑privilege access, and maintain detailed logging for forensic analysis. As governments worldwide roll out age‑verification and other identity‑based regulations, the demand for secure verification platforms will surge. Providers that embed robust security controls into their architecture will gain a competitive edge, while those that neglect basic safeguards risk costly breaches and regulatory penalties.