Data breach hotel: One million passports exposed online

What happened: the misconfiguration that exposed everything

On May 15, 2026, TechCrunch reported a telling case data breach in the hotel industry. A technology company that manages hotel check-in systems had configured its cloud storage to be public. Anyone could freely access the stored data without credentials.

The result was devastating. Over a million identity documents—passports and driver's licenses—were visible and downloadable by anyone with the correct URL. No sophisticated attack was necessary. One just had to know where to look.

Therefore, this is not a case of hacking in the classical sense of the term. It is a human configuration error, known in the industry as cloud misconfiguration. However, the consequences for affected users are identical to those of an intentional breach.

The technical hurdle: what is a cloud misconfiguration

One cloud misconfiguration This occurs when access settings to a cloud service are defined incorrectly. In this case, a storage bucket — likely on AWS S3 or a similar service — had been set to public access instead of private.

This type of error is surprisingly common. According to Gartner, almost all breaches in cloud environments are attributable to customer or vendor misconfigurations. Not to vulnerabilities of the cloud provider itself.

Furthermore, the increasing complexity of cloud architectures—multi-cloud, microservices, distributed storage—increases the likelihood of misconfigurations. Each new service activated is a potential point of exposure. Consequently, the attack surface expands proportionally to the company's digital growth.

In particular, identity data such as passports and documents are among the most sensitive information. Their processing is regulated by the GDPR in Europe. Therefore, such an exposure entails notification obligations to the authorities and significant sanctioning risks.

The immediate impact: who pays the price for the mistake

The consequences of this incident are spread across multiple levels. First of all, end-users: the hotel customers whose documents were exposed. For them, the concrete risk is identity theft, document cloning, and fraudulent use of data.

As a result, the technology company responsible will face regulatory investigations. In Europe, the GDPR provides for fines of up to 41% of global annual revenue for violations of this severity. Furthermore, the supplier’s reputation will be irreparably damaged.

Finally, the hotels using the system are indirectly involved. Even though they didn't make the mistake, their customers were exposed. Therefore, the trust relationship with the clientele suffers real damage. This highlights a critical point: security responsibility is not fully transferred to the technology provider.

As the Harvard Business Review also points out, cyber resilience requires shared governance between companies and their suppliers. Relying solely on a contractual SLA is not enough.

What nobody tells you: the hidden risk in SMEs

Public debate on these incidents tends to focus on large companies. However, SMEs are often more exposed. They have fewer resources for overseeing cloud infrastructure and rely more heavily on external providers without verifying their security practices.

Many Italian small and medium-sized enterprises have adopted cloud solutions in recent years. They often did so quickly, without a structured process of Security Review. Consequently, misconfigurations can remain invisible for months or years, until they are discovered—by a researcher, a journalist, or worse, a malicious actor.

We of SHM Studio We observe this dynamic regularly. Companies that have digitized critical processes—from customer management to document collection—without ever conducting an audit of access settings. The problem isn't cloud technology itself. The problem is the lack of governance.

Furthermore, the hotel check-in case concerns a specific sector. But the same pattern is replicated in very different fields: professional offices, clinics, real estate agencies, e-commerce platforms. Wherever sensitive data is collected and stored on cloud infrastructures.

What to do now: priority actions for companies

This episode offers a concrete opportunity to review one's security practices. The actions to consider are clear and do not require extraordinary investments. However, they do require method and continuity.

• Cloud Configuration Audits: Verify that all storage buckets, databases, and exposed services have correct access settings. Specifically, no assets containing personal data should be publicly accessible without authentication.
• Vendor Contract Review Service Level Agreements must include explicit clauses on data security. The provider must be responsible for the configurations they manage.
• Implementation of the principle of least privilege: Each user and each service should only access the data strictly necessary for its function.
• Continuous monitoring tools for Cloud Security Posture Management (CSPM) allow you to automatically detect misconfigurations before they become a problem.
• Staff training: Many configuration errors arise from a lack of awareness. A basic cloud security training program significantly reduces risk.

For SMEs managing customer data via digital platforms, a useful starting point is to review their web infrastructure and integrations with third-party cloud services.

Perspectives: Security as a Competitive Advantage

Looking at the coming months, it is reasonable to expect increasing attention from European supervisory authorities. The Italian Data Protection Authority and the authorities in other member states are increasing the frequency of inspections. Therefore, GDPR compliance is no longer a theoretical matter.

Similarly, customers—both B2B and B2C—are becoming more aware of the risks associated with managing their data. A company that demonstrates robust security practices gains a measurable reputational advantage. Conversely, a public incident can erode years of built-up trust.

In this context, investing in the security of digital infrastructure is not just a defensive necessity. It is a strategic choice. Companies that integrate security into their operational model—from Data management with AI all digital presence they build a stronger foundation for growth.

Those who wish to delve deeper into the technical implications of secure cloud architectures can refer to the research of McKinsey Digital Center, documenting how cybersecurity is becoming a competitive differentiator even for medium-sized businesses.

For Italian SMEs wishing to initiate an assessment of their digital security posture, the team at SHM Studio is available for a consultation.. As well as for those who want to integrate security into their strategies SEO, content e digital advertising. Finally, those who run campaigns on social media platforms may find it useful to also check the advertising account access settings, such as those related to LinkedIn campaign.

The SHM Studio Blog will continue to monitor the evolution of these themes. Because digital security is not a separate chapter from business strategy. It is an integral part of it.