AI-Powered Hotel Check-In System Exposes Over a Million Guest IDs in Japan

The incident involves an AI system (facial recognition and document scanning) used in a digital identity verification platform. The breach exposed sensitive personal data processed by this AI system, leading to direct harm through potential identity theft and fraud. The harm relates to violations of privacy and data protection rights, which fall under violations of human rights and legal obligations. The AI system's role in handling and verifying identity documents is pivotal to the incident, making this an AI Incident rather than a hazard or complementary information.

The hotel check-in system employs AI technologies such as facial recognition and document scanning, qualifying it as an AI system. The incident stems from a misconfiguration in the system's cloud storage, leading to the exposure of sensitive personal data, including passports and driver's licenses, affecting over a million individuals. This exposure constitutes harm to individuals' privacy and security, fitting the definition of harm to persons and violation of rights. The AI system's involvement in processing and storing this data is pivotal to the incident. Hence, this event is classified as an AI Incident.

The incident directly involves an AI system (Tabiq) that uses facial recognition and document scanning, which are AI technologies. The breach resulted from a cloud storage misconfiguration, a failure in the system's deployment and data management, leading to the exposure of sensitive personal data. This exposure has already caused harm by risking identity theft and biometric misuse, which are violations of privacy and personal rights. The AI system's role in collecting, processing, and storing this data is pivotal to the harm. Hence, this is an AI Incident rather than a hazard or complementary information.

The hotel check-in system uses AI technologies (facial recognition and document scanning) to process guest data. The security lapse (misconfiguration of cloud storage) led to the exposure of sensitive personal information, which is a violation of privacy rights and a breach of obligations under applicable law protecting fundamental rights. The harm is realized, not just potential, as the data was accessible publicly. Hence, this is an AI Incident involving the use and malfunction (misconfiguration) of an AI system leading to harm to individuals' rights.