Data breach hotel: one million passports exposed in the cloud

The incident: what happened and why it's relevant

Mid-May 2026, TechCrunch reported a data breach case that affected a hotel check-in system. The tech company responsible for the platform had configured its cloud storage with public visibility. In practice, anyone with the correct URL could download customer identification documents without authentication.

Over a million passports and driver's licenses were freely accessible. This is particularly sensitive data: combined with first name, last name, and date of birth, it can be used for identity theft, financial fraud, and unauthorized access to digital services.

Therefore, this episode is not simply a piece of tech news. It is a concrete signal that SMEs—even those far removed from the hospitality sector—must read carefully.

The Mechanism of Error: A Public Bucket Is Enough for Everything

The main cloud providers — AWS, Microsoft Azure, Google Cloud — offer object storage such as S3, Blob Storage, and Cloud Storage. These services are secure by default, but require proper configuration by the user or technical provider.

In this case, the problem was elementary: the bucket had been set to public access. No sophisticated vulnerabilities, no zero-day attacks. Simply, a wrong — or never-checked — checkbox made data from a million people accessible.

In fact, according to Gartner, most cloud security incidents do not stem from vulnerabilities in the provider's systems, but from customer-side misconfigurations. This data has been known for years, yet incidents continue to occur with alarming frequency.

In addition to this, the problem is compounded in organizations that outsource technical management to third-party providers. In these cases, configuration responsibility can become ambiguous, and periodic checks are often omitted.

The immediate impact on the hospitality and retail sectors

The hotel industry systematically collects guests' identification documents. However, it is not the only sector exposed. Retail, professional services, and e-commerce platforms also process personal data that, if exposed, can lead to severe legal and reputational consequences.

In Italy, the GDPR (General Data Protection Regulation) requires organizations to implement appropriate technical and organizational measures. Consequently, a public cloud bucket exposing personal data constitutes a direct violation of Article 32, which concerns the security of processing.

The penalties can amount to up to 41% of global annual revenue, or 20 million euros. Furthermore, the reputational damage—which is difficult to quantify—can erode customer trust in the long term. For an SME with slim margins, an incident of this kind can have existential consequences.

What to do now: The operational checklist for SMEs

The response to this type of incident does not require extraordinary investments. It requires method and attention to existing configurations. Below are the priority actions that every SME should verify immediately.

• Access Permissions Audit Verify that all cloud buckets—AWS S3, Azure Blob, Google Cloud Storage—are configured with private access. No sensitive data should be publicly accessible without authentication.
• Enable public access blocking: AWS, Azure, and Google offer global public access blocking settings. These features should be enabled by default in all production environments.
• IAM Policy Review Identity and Access Management policies must follow the principle of least privilege. Each user or service should only access the resources strictly necessary.
• Continuous monitoring Tools like AWS Config, Azure Security Center, or Google Security Command Center automatically detect non-compliant configurations. Therefore, it is advisable to enable them and configure real-time alerts.
• Third-party vendor agreements If cloud management is outsourced to an external partner, the contract must include explicit provisions regarding responsibility for security configurations and the procedures for periodic audits.

Similarly, it is useful to plan a periodic penetration test focused on cloud configurations, at least once a year or after every significant change to the infrastructure.

The regulatory framework: GDPR and data breach notification

In the event of a personal data breach, the GDPR imposes precise obligations. First of all, the organization must notify the Personal Data Protection Authority within 72 hours of discovering the incident. Subsequently, if the breach involves a high risk to the rights of data subjects, it is also necessary to communicate it to the individuals concerned.

However, many SMEs lack internal procedures for managing these scenarios. The absence of an Incident Response Plan further exacerbates the situation in the event of a breach.

Therefore, regulatory compliance is not just a legal matter. It is also a competitive factor: B2B and retail customers are increasingly choosing suppliers that demonstrate maturity in data management. As highlighted by Harvard Business Review, companies that experience public data breaches see an average decline of 7.51% in their stock price in the days following the announcement.

A Milanese agency's perspective: the cloud isn't automatically secure

We of SHM Studio We often observe a widespread belief among Italian SMEs: relying on a large cloud provider means being safe. This perception is partially correct, but profoundly misleading.

Cloud providers guarantee the security of their infrastructure. However, configuring the environments remains the responsibility of the customer or their technical provider. This is the so-called shared responsibility model. shared responsibility model — that AWS, Azure, and Google explicitly document in their policies.

So, the problem isn’t the technology. It’s governance. SMEs that lack an in-house technical team tend to delegate cloud management entirely to external providers, without scheduling periodic audits or independent reviews. This approach exposes them to real risks, as the case study demonstrates.

In particular, for companies that collect identity documents, payment data, or health information, the level of attention must be proportionally higher. applied artificial intelligence services and the digital marketing strategies that we manage for our clients are always based on a verified and compliant data infrastructure.

Perspectives: Cloud Security as a Competitive Lever

Looking at the next 12-24 months, regulatory pressure on personal data processing is expected to increase. In Europe, the Data Act and the AI Act will introduce further requirements for organizations that process data at scale. Additionally, B2B buyers are including cybersecurity among their vendor selection criteria.

Consequently, SMEs that invest today in the correct configuration of their cloud infrastructure are not just avoiding penalties. They are building a measurable competitive advantage. As the McKinsey Global Institute points out, cyber resilience is now an indicator of business reliability perceived by markets.

Finally, let's remember that security is not a project with an end date. It is an ongoing process that requires periodic reviews, policy updates, and staff training. web solutions and the SEO strategy that we develop in SHM Studio they are always integrated with an assessment of the client's overall digital maturity, including secure data management.

To learn more about how to structure a cloud security approach suitable for Italian SMEs, you can consult our resources on blog o contact us directly for a preliminary assessment.