- A vulnerability in the image upload function of SuperINN plus web application allowed attackers to upload PHP web shells and export customer data from the database.
- Apart from this, an attacker identified a SQL injection vulnerability in the web application and abused it to extract encrypted cardholder data.
Sark Technologies’ reservation and management software SuperINN had a vulnerability in its image upload function. This allowed attackers to extract customers’ personal information.
The big picture
SuperINN became aware of the incident on May 26, 2019. After this, the organization launched an investigation and determined that a vulnerability in the image upload function of the application allowed attackers to upload PHP web shells.
- The PHP web shells were uploaded on the web application on September 23, 2018.
- Using the PHP scripts, the attackers were able to export customer data from the SuperINN plus database and obtain the decryption key.
- The database was accessed between January 01, 2019, and May 30, 2019.
- Apart from this, an attacker identified a SQL injection vulnerability in the web application and abused it to extract encrypted cardholder data from the database between June and July 2019.
What is the impact?
The incident impacted almost 43,250 across the globe, including 2,882 residents of California.
The compromised information includes customers’ names, addresses, phone numbers, email addresses, encrypted card numbers, and encrypted cardholder data.
What actions were taken?
- SuperINN.com identified and removed the PHP web shells on June 03, 2019.
- It also reconfigured the web application to prevent attackers from uploading PHP files in the future.
- The SQL injection vulnerability was identified and removed on July 16, 2019.
- The organization also rotated the encryption keys.
- Furthermore, SuperINN is conducting penetration testing in order to identify any other vulnerabilities in the systems and fix them if identified.
- It is also reviewing its systems and processes to improve its security measures and prevent such incidents from happening in the future.
“SuperINN.com sincerely regrets this data security incident and any inconvenience it may cause the affected individuals,” the security notice read.