A hotel check-in platform left its cloud storage publicly accessible, exposing approximately one million customer passports and driver's licenses without password protection.
The tech company operating the system misconfigured its cloud storage settings, setting the database to public instead of restricting access to authorized personnel only. Anyone with an internet connection could view the sensitive identification documents.
The exposed data included full copies of passports and driver's licenses from hotel guests across multiple properties. No authentication was required to access the information.
The misconfiguration was discovered and reported to the company, which secured the storage following notification. The exact number of affected individuals and the duration the data remained exposed have not been fully disclosed.
This incident highlights a recurring vulnerability in hospitality technology: the storage of high-value personal identification data combined with inadequate security controls. Hotels collect ID documents during check-in to verify guest identity and comply with regulations, but improper storage creates significant privacy risks.
Cloud storage misconfigurations remain a leading cause of data breaches across industries. Security best practices require that sensitive data be stored with encryption, access controls, and authentication requirements. Default settings should assume private storage unless explicitly configured otherwise.
The incident raises questions about the company's security protocols and oversight mechanisms. Organizations handling sensitive customer data face increasing scrutiny from regulators and the public following high-profile breaches.
Affected guests may face elevated identity theft risks. Passports and driver's licenses provide sufficient information for fraudsters to commit identity fraud or create forged documents.
U.S. federal prosecutors have unsealed charges against three Russian nationals accused of operating a bulletproof hosting service that supported ransomware gangs responsible for over $62 million in damages worldwide.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are actively exploiting three vulnerabilities in Internet-exposed on-premises SharePoint Server instances. Organizations running affected versions must patch immediately.
Tailscale disclosed a critical vulnerability in its SSH implementation that allowed attackers to gain root access through insecure argument handling. The flaw has been patched in recent versions.
A new study found that social media platforms referred over 5.7 million visits to nonconsensual deepfake pornography sites between December 2025 and March 2026, with YouTube and X accounting for the majority of traffic.