A technology company that provides hotel check-in systems left more than 1 million passports, driver’s licenses and other identification documents exposed online without password protection, according to security researchers who discovered the flaw. The misconfigured cloud storage bucket belonging to Mews contained files uploaded by multiple hotels using the company’s software, making personal data accessible to anyone with the direct link.

The breach was identified by Bobby Rauch, a security researcher who found the unsecured storage on April 28. The exposed data included scans of passports, driver’s licenses and national ID cards from guests across North America, Europe and Asia. Some files contained additional personal details such as full names, dates of birth and hotel reservation numbers, raising concerns about potential identity theft and fraud.

How the breach happened

Mews Systems, a Prague-based hospitality software provider, offers cloud-based check-in solutions used by thousands of hotels worldwide. The company’s system allows guests to upload identification documents during online check-in, which are then stored in the cloud. Security researchers say the company’s Amazon Web Services storage bucket was set to public access by default, a common but avoidable configuration error.

Rauch reported the issue to Mews on May 1, and the company secured the bucket within hours. A Mews spokesperson confirmed the exposure and said no evidence suggested the data was accessed by unauthorized parties before the fix. The company also stated it has since implemented additional security controls to prevent similar incidents.

Impact on affected guests

While Mews has not disclosed the exact number of exposed documents, security experts warn the breach could affect guests who stayed at hotels using the system between 2016 and 2024. The exposed IDs include passports from multiple countries, driver’s licenses from U.S. states and national ID cards from European nations. Experts advise affected individuals to monitor their credit reports, set up fraud alerts and consider identity protection services.

Hotels using Mews’ system were notified of the breach and advised to inform guests whose data may have been exposed. The incident highlights ongoing risks in the hospitality industry, where third-party vendors often handle sensitive guest information with varying degrees of security oversight. Many hotels rely on external software providers for check-in systems, payment processing and guest management, creating multiple potential entry points for cyberattacks.

Broader implications for data security

The exposure joins a growing list of misconfigured cloud storage breaches affecting millions of individuals. Earlier this year, a similar incident involving a U.S. healthcare provider exposed protected health information of nearly 100 million patients. These cases underscore the need for stricter oversight of third-party vendors and mandatory security audits for companies handling sensitive data.

Regulators including the European Data Protection Board and U.S. Federal Trade Commission have emphasized the importance of proper data storage configurations. Companies using cloud services must ensure default settings are adjusted to restrict public access and implement continuous monitoring to detect unauthorized exposure.

What You Need to Know

  • Source: TechCrunch
  • Published: May 15, 2026 at 18:51 UTC
  • Category: Technology
  • Topics: #techcrunch · #startups · #tech · #travel · #hotel · #hotel-check-in-system-data-breach

Read the Full Story

This is a curated summary. For the complete article, original data, quotes and full analysis:

Read the full story on TechCrunch →

All reporting rights belong to the respective author(s) at TechCrunch. GlobalBR News summarizes publicly available content to help readers discover the most relevant global news.

Curated by GlobalBR News · May 15, 2026

🇧🇷 Resumo em Português

O Brasil pode ter sido um dos milhões de países afetados por uma falha gravíssima em um sistema de check-in de hotéis, que deixou expostos dados sensíveis de mais de 1 milhão de pessoas, incluindo passaportes e CNHs, sem qualquer proteção por senha. A descoberta, feita por pesquisadores de segurança, expõe um problema recorrente no setor hoteleiro: a negligência com informações pessoais de hóspedes, muitas vezes armazenadas em servidores desprotegidos ou mal configurados.

O vazamento afeta não só turistas estrangeiros que passaram por hotéis ao redor do mundo, mas também brasileiros que fizeram check-in recentemente em estabelecimentos nacionais ou internacionais. A falta de criptografia ou controle de acesso básico coloca em risco a privacidade de milhões, abrindo brechas para fraudes, roubo de identidade e até chantagem. No Brasil, onde o uso de passaportes e documentos como a CNH é comum em viagens e locações, a exposição de tais dados pode ter consequências graves, especialmente diante do crescimento de crimes cibernéticos no país.

A empresa responsável pelo sistema já foi notificada e, segundo os pesquisadores, tomou medidas para corrigir a vulnerabilidade, mas o dano à reputação dos hotéis envolvidos — e à segurança de milhões de pessoas — já está feito. O caso reforça a necessidade urgente de regulamentações mais rígidas sobre proteção de dados no setor, especialmente em um momento em que o Brasil discute a implementação de leis que garantam maior segurança digital aos cidadãos.

🇪🇸 Resumen en Español

Un sistema automatizado de recepción de hoteles dejó al descubierto más de un millón de pasaportes y carnés de conducir en internet sin ninguna protección por contraseña. La filtración, descubierta por investigadores de ciberseguridad, expuso datos sensibles de clientes de todo el mundo, incluyendo hispanohablantes, durante meses sin que la empresa afectada adoptara medidas inmediatas.

El incidente, que afecta a cadenas hoteleras globales, pone de manifiesto los riesgos de la digitalización de procesos sin protocolos básicos de seguridad. Para los usuarios hispanohablantes, especialmente viajeros que suelen alojarse en establecimientos internacionales, la vulnerabilidad subraya la importancia de revisar la autenticidad de los sitios web antes de compartir documentos y de exigir transparencia a las empresas sobre el manejo de sus datos personales.