India-based Quoality Systems expose over 1m credit cards

• Address, nationality, phone number, pickup date and time, means of transportation, source of booking, full credit card details exposed.
• Quoality fails to adhere to industry standards such as the Payment Card Industry Data Security Standard.
• Cybernews research team discovers a misconfiguration in Elastic cluster that caused the data leak.

Discovery of a misconfiguration within India-based Quoality Systems has sent shockwaves through the cybersecurity community.

The Cybernews research team unearthed a grave oversight within Quoality’s hotel and guest management platform, Guest Experience (GX), leading to a severe data leak.

The breach has potentially compromised the sensitive information of over a million hotel guests, exposing their financial and personal details to malicious actors on the internet.

Quoality, a company specialising in developing innovative solutions for the hospitality industry, prides itself on offering the Guest Experience platform as a comprehensive tool for managing contactless check-ins and checkouts, hotel services, guest arrivals, automated messaging, and payments.

However, a critical human error made by the company’s developers has now cast a shadow over its reputation and integrity.

A treasure trove of guest data

The data leak such as address, nationality, phone number, pickup date and time, means of transportation, source of booking, full credit card details – was attributed to an Elastic cluster misconfiguration, where inadequate access controls on the Elasticsearch cluster left a treasure trove of guest data vulnerable to exploitation.

Elasticsearch clusters, comprising interconnected nodes for data storage and retrieval, are integral to the real-time indexing and querying capabilities of the platform. Unfortunately, this misstep allowed threat actors to potentially weaponise the exposed information for malicious purposes such as targeted phishing campaigns, doxxing attacks, or spamming activities.

Of particular concern is the revelation that the leaked data includes full credit card details, encompassing sensitive information like CVV codes and expiry dates.

The critical oversight significantly raises the risk of identity theft and financial harm for the affected individuals.

Identity theft

Cybersecurity experts, including Bob Diachenko and Aras Nazarovas from Cybernews, have underscored the gravity of this breach, emphasising the potential ramifications for both the impacted guests and Quoality Systems.

Bob Diachenko, a seasoned security researcher at Cybernews, highlighted the immediate threat posed by the exposure of full credit card details alongside customer booking information.

The combination of data elements not only facilitates identity theft but also opens the door for cybercriminals to exploit victims’ bank accounts through unauthorised transactions, leveraging the leaked information to their advantage.

On the regulatory front, Aras Nazarovas, another security researcher at Cybernews, drew attention to the implications of Quoality’s failure to adhere to industry standards such as the Payment Card Industry Data Security Standard (PCI-DSS).

The mishandling of sensitive payment information not only jeopardises the trust of customers but also exposes the company to potential fines from credit card companies and regulatory bodies for non-compliance with data protection laws and regulations.

The repercussions of this data breach extend beyond immediate financial risks, encompassing broader concerns about data security, privacy, and corporate accountability.

Cybernews have reached out to the company following its responsible disclosure guidelines, and the data is no longer exposed to the public.

“We’ve also asked the company to provide an on-the-record comment to help better understand what happened, but haven’t received any response.”