Hospitality app exposes more than one million credit cards

One hotel management services company has leaked full credit card details and personal data of more than one million guests, putting their financial accounts at risk.

The Cybernews research team has discovered a misconfiguration in Quoality systems that caused a severe data leak.

Based in India, Quoality is a company that develops a hotel and guest management platform called Guest Experience (GX). This B2B platform helps to manage contactless check-ins and checkouts, hotel services, guest arrivals, automated messaging, and payments for the hospitality industry.

A human error made by the company’s developers has likely jeopardized more than a million hotel guests. The guest's financial and personal information was left open to any bad actor online. The exposed guest data includes:

  • Address
  • Nationality
  • Phone number
  • Pickup date and time
  • Means of transportation
  • The source of booking
  • Full credit card details (CC)

The leak occurred due to an Elastic cluster lacking appropriate access controls. An Elasticsearch cluster is a group of connected servers, called nodes, that work together to store and search large amounts of data on Elasticsearch – an open-source search and analytics engine designed for real-time data indexing and querying.

Severe noncompliance that endangers clients

This leak could easily be exploited by threat actors who could craft targeted phishing campaigns, conduct doxxing attacks, or send spam.

The key cause for concern is the exposed full credit card details, which include CVV codes and expiry dates. In this instance, exploiting the victim's bank accounts is an easy task for cybercriminals as the threat actors could make unauthorized purchases from victims’ bank accounts by exploiting the leaked data.

“The exposure of full credit card details alongside customer booking information presents a significant risk of identity theft and financial damage for the affected individuals,” said Cybernews security researcher Bob Diachenko.

The data leak raises serious concerns regarding Quoality's compliance with data protection laws and regulations, especially regarding the security and handling of sensitive payment information.

“The leak shows that the company completely failed to meet industry standards such as PCI-DSS for storing sensitive payment information,” said Aras Nazarovas, security researcher at Cybernews. “Such a failure to meet secure payment information storage requirements can result in sizable fines from credit card companies and regulatory bodies.”

We’ve reached out to the company following our responsible disclosure guidelines, and the data is no longer exposed to the public. We’ve also asked the company to provide an on-the-record comment to help better understand what happened, but haven’t received any response.