Hotel Vendor Exposes a Million IDs

2026-05-16

A public cloud bucket, not a hacker, appears to be the real threat to hotel guests this time. Security researchers report that a hotel check-in platform left about a million passport and driver license images exposed after its storage was configured for open access with no authentication barrier at all.

This incident shows how boring misconfiguration can be more dangerous than any sophisticated exploit. The vendor running the check-in software set its object storage to public read, which meant anyone who knew or guessed the URL could retrieve high resolution scans, complete with names, document numbers, birth dates and addresses, all ready for optical character recognition and automated fraud pipelines.

What makes this worse is that the system exists to speed front desk queues, not to run an identity warehouse. Hotels outsourced the workflow, yet the vendor effectively built a central repository of sensitive personally identifiable information without matching investment in access control lists, encryption at rest or basic segregation of customer data across tenants.

The real cost will not be borne by the software company but by guests whose documents can be reused for account takeovers, synthetic identities and black market verification services. Regulators are likely to ask why such a cache sat in public cloud space, waiting to be indexed by search engines, long before any formal breach notice reached the people whose faces and ID numbers were on file.

Recommendations