Sark Technologies is proud of its reservation and management system, SuperINN. They describe it as the first web-based property management system designed specifically for the small lodging system.
They also advertise that SuperINN easily integrates with third-party sites and safely processes and stores credit cards.
On August 2, however, their external counsel notified consumers and the California State Attorney General’s Office of a breach that impacted “approximately 43,250 individuals residing across the U.S. and in 64 other countries, including 2,882 residents of California.”
According to the counsel’s summary of the incident, one or more attackers identified a vulnerability in an image upload function of the SuperINN Plus web application available to authenticated users that allowed the attacker to upload PHP web shells. The earliest of these web shells found on the system was dated September 23, 2018.
Investigators also found PHP scripts used to export data from the SuperINN Plus database. The data types included: encrypted card numbers, names, home and credit card billing addresses, telephone numbers, and email addresses of SuperINN.com’s customers’ guests.
Of note, they write:
It is assumed that the attacker had also obtained the decryption key using a PHP web shell. The earliest evidence of exported data available included records dated January 1, 2019 and later. The exported data continued through May 30, 2019. SuperINN.com became aware of the incident May 26, 2019.
The notification does not indicate how the firm first became aware of an incident, but by June 3:
SuperINN.com had (a) identified and removed the PHP web shells and (b) reconfigured the web application to prevent the ability to upload PHP files.
But that wasn’t the only issue investigators detected:
In addition to the PHP web shell, an attacker identified a SQL injection vulnerability in the web application and appeared to make use of it to pull encrypted cardholder data from the database. Available logs showed this SQL injection being used in June and July 2019. It is again assumed that the attacker had previously obtained the decryption key using a PHP web shell.
By July 16, 2019, SuperINN.com had (a) identified and removed the SQL injection vulnerability and (b) rotated encryption keys.
Based on this information, the window of potential exposure for card data has been set as September 23, 2018 through July 16, 2019.
Somewhat unusually, they actually provided all that technical detail to consumers who are being notified of the incident.
If you want to read their full report and template notification, you can find it here.