DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

SuperINN Plus notifying clients of hack; more than 43,000 consumers impacted

Posted on August 6, 2019 by Dissent

Sark Technologies is proud of its reservation and management system, SuperINN. They describe it as the first web-based property management system designed specifically for the small lodging system.

They also advertise that SuperINN easily integrates with third-party sites and safely processes and stores credit cards.

On August 2, however, their external counsel notified consumers and the California State Attorney General’s Office of a breach that impacted “approximately 43,250 individuals residing across the U.S. and in 64 other countries, including 2,882 residents of California.”

According to the counsel’s summary of the incident, one or more attackers identified a vulnerability in an image upload function of the SuperINN Plus web application available to authenticated users that allowed the attacker to upload PHP web shells. The earliest of these web shells found on the system was dated September 23, 2018.

Investigators also found PHP scripts used to export data from the SuperINN Plus database. The data types included: encrypted card numbers, names, home and credit card billing addresses, telephone numbers, and email addresses of SuperINN.com’s customers’ guests.

Of note, they write:

It is assumed that the attacker had also obtained the decryption key using a PHP web shell. The earliest evidence of exported data available included records dated January 1, 2019 and later. The exported data continued through May 30, 2019. SuperINN.com became aware of the incident May 26, 2019.

The notification does not indicate how the firm first became aware of an incident, but by June 3:

SuperINN.com had (a) identified and removed the PHP web shells and (b) reconfigured the web application to prevent the ability to upload PHP files.

But that wasn’t the only issue investigators detected:

In addition to the PHP web shell, an attacker identified a SQL injection vulnerability in the web application and appeared to make use of it to pull encrypted cardholder data from the database. Available logs showed this SQL injection being used in June and July 2019. It is again assumed that the attacker had previously obtained the decryption key using a PHP web shell.

By July 16, 2019, SuperINN.com had (a) identified and removed the SQL injection vulnerability and (b) rotated encryption keys.

Based on this information, the window of potential exposure for card data has been set as September 23, 2018 through July 16, 2019.

Somewhat unusually, they actually provided all that technical detail to consumers who are being notified of the incident.

If you want to read their full report and template notification, you can find it here.

Related posts:

  • Justice Department announces court-authorized effort to disrupt exploitation of Microsoft Exchange Server vulnerabilities
Category: Business SectorHackSubcontractorU.S.

Post navigation

← AT&T Insiders Bribed With Over $1 Million To Unlock 2 Million Phones And Hack Their Employer, DOJ Claims
People: Do NOT Call This Site About the AMCA Breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.