A hotel check-in system left a million passports and driver’s licenses open for anyone to see

A hotel check-in technology company exposed over one million customer documents through misconfigured cloud storage. The company left its AWS S3 bucket public, granting unrestricted access to passports, driver's licenses, and other identity documents without requiring authentication.

Security researchers discovered the exposed data while scanning for common misconfigurations. The vulnerability remained open for an extended period, leaving millions of hotel guests at risk of identity theft and fraud. The company failed to implement basic security practices like access restrictions or encryption on sensitive customer information.

This incident reflects a broader pattern in the hospitality tech sector. Companies handling identity documents often prioritize speed and convenience over security architecture. The exposed bucket contained documents from multiple hotel chains using the platform, multiplying the breach's scope across the industry.

The company reportedly secured the bucket after researchers notified them of the vulnerability. However, no timeline exists for determining how many bad actors accessed the data before the fix. Law enforcement and the FBI typically investigate breaches of this scale involving identity documents.

Hotel chains now face potential liability and notification obligations to affected customers under data protection regulations like GDPR and state privacy laws. Class action lawsuits from customers often follow breaches involving passports and driver's licenses due to the high identity theft risk.

This breach underscores why cloud security remains a top concern for startups handling sensitive data. Major providers like AWS offer free tools to detect public buckets, yet thousands of companies continue making this mistake. The hospitality sector specifically has struggled with data security, with multiple major chains experiencing breaches in recent years.

The incident raises questions about the company's security practices more broadly. If a startup misconfigures its primary customer data store, it suggests gaps in access control policies, security audits, and deployment procedures. Investors and hotel partners will likely demand immediate security assessments before continuing relationships with the platform.