What authority did you have...
...to go poking around sites and contents just because they were hosted there. They were renting compute and web services from you - what the hell has their content or processes got to do with you, unless it's illegal? PCI is a compliance issue, not a legal one, and without authorisation you should not have been poking around. If it had been my hosting firm you wouldn't have walked , I'd have pushed you.
This is how hosting and cloud compute is supposed to operate - without dickheads like you sticking their nose in.
Back to the main topic - it's piss poor security indeed where modifying a url lets you see others details. However the current laws would consider this hacking and may land you in jail. Which is fucking mad - but true.