What Happened
A technology company responsible for powering hotel check-in systems around the world made a critical security error — it left its cloud storage bucket set to public, meaning anyone with the right link could access the personal data of over a million guests without so much as a password.
The exposed files included scans of passports and driver's licenses submitted by travellers during the check-in process. This is some of the most sensitive personal information a person carries: government-issued photo ID that contains full legal names, dates of birth, ID numbers, and home addresses.
How It Was Discovered
Security researchers stumbled upon the exposed database, which had been sitting wide open with no access controls in place. This type of vulnerability — a misconfigured cloud storage bucket — is one of the most common and preventable data breaches in the tech industry. Major cloud providers like AWS, Google Cloud, and Azure all default to private storage settings, meaning companies have to actively change configurations to make data public. In this case, that's exactly what happened, likely by accident.
The exposed records reportedly included images of ID documents uploaded by hotel guests, potentially from dozens or hundreds of properties using the same check-in platform.
Why This Is Serious
Passport scans are particularly valuable to bad actors. Unlike a credit card number that can be cancelled, a passport or driver's license contains biometric-adjacent data — your photo, your date of birth, your government ID number — that can be used for identity theft, fraud, and even creating fake documents.
Identity fraud using stolen government ID is notoriously difficult to recover from. Victims can spend years untangling fraudulent accounts, loans, or even criminal records opened in their name.
For travellers who checked into a hotel and handed over their ID as a routine part of the process, this breach is a reminder that the data doesn't always stay behind the front desk.
The Broader Problem
This incident fits into a troubling pattern in the hospitality industry. Hotels and their tech vendors collect enormous amounts of personal data — payment information, travel itineraries, ID documents — and don't always have the cybersecurity infrastructure to protect it.
In recent years, major hotel chains including Marriott and MGM have suffered significant data breaches. The MGM breach in 2023 was particularly disruptive, shutting down slot machines, hotel room keys, and reservation systems across multiple properties.
Smaller tech vendors that power hospitality systems often receive less scrutiny than the big brands themselves, even though they handle the same sensitive data.
What Travellers Should Know
If you've checked into a hotel in the past few years that asked to scan your passport or driver's license — which is standard practice internationally — your data may have passed through third-party systems you've never heard of.
Security experts recommend monitoring your credit report and government ID-linked accounts for unusual activity. If you're a Canadian traveller who has stayed at international hotels, it's worth checking whether any unusual activity appears on financial or government accounts.
The company involved has not yet been publicly named at time of publication. TechCrunch, which broke the story, reported the storage was secured after researchers made contact.
Source: TechCrunch
